Research Paper

Additional Praise for Implementing Enterprise Risk Management

“Educators the world over seeking to make the management of risk an integral part of management degrees have had great difficulties in providing their students with a definitive ERM text for their course. The Standards and associated Handbooks helped, but until the arrival of Implementing Enterprise Risk Management: Case Stud- ies and Best Practices, there has been no text to enlighten students on the application of an effective program to manage risk across an enterprise so that objectives are maximized and threats minimized. Fraser, Simkins, and Narvaez have combined with a group of contributors that represent the cream of risk practitioners, to pro- vide the reader with a clear and concise journey through the management of risk within a wide range of organizations and industries. The knowledge, skills, and experience in the management of risk contained within the covers of this book are second to none. It will provide a much needed resource to students and practition- ers for many years to come and should become a well-used reference on the desk of every manager of risk.”

—Kevin W. Knight AM, chairman, ISO/TC 262—Risk Management

“The authors—Fraser, Simkins, and Narvaez—have done an invaluable service to advance the science of enterprise risk management by collecting an extensive num- ber of wonderful case studies that describe innovative risk management practices in a diverse set of companies around the world. This book should be an extremely valuable source of knowledge for anyone interested in the emerging and evolving field of risk management.”

—Robert S. Kaplan, senior fellow, Marvin Bower Professor of Leadership Development, emeritus, Harvard University

“Lessons learned from case studies and best practices represent an efficient way to gain practical insights on the implementation of ERM. Implementing Enterprise Risk Management provides such insights from a robust collection of ERM pro- grams across public companies and private organizations. I commend the editors and contributors for making a significant contribution to ERM by sharing their experiences.”

—James Lam, president, James Lam & Associates; director and Risk Oversight Committee chairman, E∗TRADE Financial Corporation;

author, Enterprise Risk Management—From Incentives to Controls

“For those who still think that enterprise risk management is just a fad, the varied examples of practical value-generating uses contained in this book should dispel any doubt that the discipline is here to stay! The broad collection of practices is insightful for students, academics, and executives, as well as seasoned risk man- agement professionals.”

—Carol Fox, ARM, director of Strategic and Enterprise Risk Practice, RIMS

“Managing risk across the enterprise is the new frontier of business management. Doing so effectively, in my view, will be the single most important differentiating factor for many enterprises in the twenty-first century. Implementing Enterprise Risk Management: Case Studies and Best Practices is an innovative and important addition to the literature and contains a wealth of insight in this critical area. This book’s integration of theory with hands-on, real-world lessons in managing enterprise risk provides an opportunity for its readers to gain insight and understanding that could otherwise be acquired only through many years of hard-earned experience.

I highly recommend this book for use by executives, line managers, risk managers, and business students alike.”

—Douglas F. Prawitt, professor of Accounting at Brigham Young University, and Committee of Sponsoring Organizations (COSO)

Executive Board member

“The real beauty of and value in this book is its case study focus and the wide variety of firms profiled and writers’ perspectives shared. This will provide readers with a wealth of details and views that will help them chart an ERM journey of their own that is more likely to fit the specific and typically customized ERM needs of the firms for whom they toil.”

—Chris Mandel, senior vice president, Strategic Solutions for Sedgwick; former president of the Risk Management Society

and the 2004 Risk Manager of the Year

“Implementing Enterprise Risk Management looks at many industries through excel- lent case studies, providing a real-world base for its recommendations and an important reminder that ERM is valuable in many industries. I highly recommend this text.”

—Russell Walker, Clinical associate professor, Kellogg School of Management; author of Winning with Risk Management

“The body of knowledge in Implementing Enterprise Risk Management continues to develop as business educators and leaders confront a complex and rapidly chang- ing environment. This book provides a valuable resource for academics and prac- titioners in this dynamic area.”

—Mark L. Frigo, director, Strategic Risk Management Lab, Kellstadt Graduate School of Business, DePaul University

“The management of enterprise risk is one of the most vexatious problems con- fronting boards and executives worldwide. This is why this latest book by Fraser, Simkins, and Narvaez is a much needed and highly refreshing approach to the sub- ject. The editors have managed to assemble an impressive list of contributors who, through a series of fascinating real-life case studies, adroitly help educate readers to better understand and deal with the myriad of risks that can assault, seriously maim, and/or kill an organization. This is a ‘how to’ book written with the ‘risk management problem solver’ in mind. It provides the link that has been missing for effectively teaching ERM at the university and executive education levels and it is an exceptional achievement by true risk management advocates.”

—Dr. Chris Bart, FCPA, founder and lead faculty, The Directors College of Canada

“The Institute of Risk Management welcomes the publication of this highly practi- cal text which should be of great interest to our students and members around the world. Implementing Enterprise Risk Management brings together a fine collection of detailed case studies from organizations of varying sizes and working in differ- ent sectors, all seeking to enhance their business performance by managing their risks more effectively, from the boardroom to the shop floor. This book makes a valuable contribution to the body of knowledge of what works that will benefit the development of the risk profession.”

—Carolyn Williams, technical director, Institute of Risk Management


The Robert W. Kolb Series in Finance provides a comprehensive view of the field of finance in all of its variety and complexity. The series is projected to include approximately 65 volumes covering all major topics and specializations in finance, ranging from investments, to corporate finance, to financial institutions. Each vol- ume in the Kolb Series in Finance consists of new articles especially written for the volume.

Each volume is edited by a specialist in a particular area of finance, who develops the volume outline and commissions articles by the world’s experts in that partic- ular field of finance. Each volume includes an editor’s introduction and approx- imately thirty articles to fully describe the current state of financial research and practice in a particular area of finance.

The essays in each volume are intended for practicing finance professionals, grad- uate students, and advanced undergraduate students. The goal of each volume is to encapsulate the current state of knowledge in a particular area of finance so that the reader can quickly achieve a mastery of that special area of finance.


Case Studies and Best Practices


John R.S. Fraser Betty J. Simkins Kristina Narvaez

The Robert W. Kolb Series in Finance

Cover Design: Wiley Cover Image: ©

Copyright © 2015 by John R.S. Fraser, Betty J. Simkins, Kristina Narvaev. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at For more information about Wiley products, visit

Library of Congress Cataloging-in-Publication Data:

ISBN 978-1-118-69196-0 (Hardcover) ISBN 978-1-118-74576-2 (ePDF) ISBN 978-1-118-74618-9 (ePub)

Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

To Wendy, my wonderful wife and my inspiration, and to my parents who instilled in me a lifelong thirst for learning.

—John Fraser

To my husband (Russell) and our family: sons and daughters- in-law (Luke & Stephanie and Walt & Lauren), daughter and son-in-law (Susan & Jason), and our youngest daughter (April). Thank you for your love, support, and encouragement!

—Betty Simkins

I would like to thank my husband and four children for support- ing me on my journey of writing two chapters and co-editing this book. I would also like to thank the Risk and Insurance Manage- ment Society for supporting me during my educational years and providing great workshops and conferences on enterprise risk management.

—Kristina Narvaez


Foreword xiii

1 Enterprise Risk Management Case Studies: An Introduction and Overview 1 John R.S. Fraser, Betty J. Simkins, and Kristina Narvaez

PART I Overview and Insights for Teaching ERM 17

2 An Innovative Method to Teaching Enterprise Risk Management: A Learner-Centered Teaching Approach 19 David R. Lange and Betty J. Simkins

PART II ERM Implementation at Leading Organizations 37

3 ERM at Mars, Incorporated: ERM for Strategy and Operations 39 Larry Warner

4 Value and Risk: Enterprise Risk Management at Statoil 59 Alf Alviniussen and Håkan Jankensgård

5 ERM in Practice at the University of California Health System 75 Grace Crickette

6 Strategic Risk Management at the LEGO Group: Integrating Strategy and Risk Management 93 Mark L. Frigo and Hans Læssøe

7 Turning the Organizational Pyramid Upside Down: Ten Years of Evolution in Enterprise Risk Management at United Grain Growers 107 John Bugalla


x Contents

8 Housing Association Case Study of ERM in a Changing Marketplace 119 John Hargreaves

9 Lessons from the Academy: ERM Implementation in the University Setting 143 Anne E. Lundquist

10 Developing Accountability in Risk Management: The British Columbia Lottery Corporation Case Study 179 Jacquetta C. M. Goy

11 Starting from Scratch: The Evolution of ERM at the Workers’ Compensation Fund 207 Dan M. Hair

12 Measuring Performance at Intuit: A Value-Added Component in ERM Programs 227 Janet Nasburg

13 TD Bank’s Approach to an Enterprise Risk Management Program 241 Paul Cunha and Kristina Narvaez

PART III Linking ERM to Strategy and Strategic Risk Management 251

14 A Strategic Approach to Enterprise Risk Management at Zurich Insurance Group 253 Linda Conrad and Kristina Narvaez

15 Embedding ERM into Strategic Planning at the City of Edmonton 281 Ken Baker

16 Leveraging ERM to Practice Strategic Risk Management 305 John Bugalla and James Kallman

PART IV Specialized Aspects of Risk Management 319

17 Developing a Strategic Risk Plan for the Hope City Police Service 321 Andrew Graham

18 Blue Wood Chocolates 335 Stephen McPhie and Rick Nason


19 Kilgore Custom Milling 363 Rick Nason and Stephen McPhie

20 Implementing Risk Management within Middle Eastern Oil and Gas Companies 377 Alexander Larsen

21 The Role of Root Cause Analysis in Public Safety ERM Programs 397 Andrew Bent

22 JAA Inc.—A Case Study in Creating Value from Uncertainty: Best Practices in Managing Risk 427 Julian du Plessis, Arnold Schanfield, and Alpaslan Menevse

23 Control Complacency: Rogue Trading at Société Générale 461 Steve Lindo

24 The Role of VaR in Enterprise Risk Management: Calculating Value at Risk for Portfolios Held by the Vane Mallory Investment Bank 489 Allissa A. Lee and Betty J. Simkins

25 Uses of Efficient Frontier Analysis in Strategic Risk Management: A Technical Examination 501 Ward Ching and Loren Nickel

PART V Mini-Cases on ERM and Risk 523

26 Bim Consultants Inc. 525 John R.S. Fraser

27 Nerds Galore 529 Rob Quail

28 The Reluctant General Counsel 535 Norman D. Marks

29 Transforming Risk Management at Akawini Copper 539 Grant Purdy

30 Alleged Corruption at Chessfield: Corporate Governance and the Risk Oversight Role of the Board of Directors 547 Richard Leblanc

xii Contents

31 Operational Risk Management Case Study: Bon Boulangerie 555 Diana Del Bel Belluz

PART VI Other Case Studies 559

32 Constructive Dialogue and ERM: Lessons from the Financial Crisis 561 Thomas H. Stanton

33 Challenges and Obstacles of ERM Implementation in Poland 577 Zbigniew Krysiak and Sl̄awomir Pijanowski

34 Turning Crisis into Opportunity: Building an ERM Program at General Motors 607 Marc S. Robinson, Lisa M. Smith, and Brian D. Thelen

35 ERM at Malaysia’s Media Company Astro: Quickly Implementing ERM and Using It to Assess the Risk-Adjusted Performance of a Portfolio of Acquired Foreign Companies 623 Patrick Adam K. Abdullah and Ghislain Giroux Dufort

About the Editors 649

Index 651


Enterprise Risk Management is an evolving discipline focused on a com-plex and still imperfectly-understood subject. In such a situation, science isadvanced best by collecting data from multiple, independent sites. A rich set of observations educates the field’s scholars and practitioners and provides the foundation for them to develop descriptive and normative theories as well as cod- ified best practices about the subject.

The authors—Fraser, Simkins, and Narvaez—have done an invaluable service to advance the science of enterprise risk management by collecting an extensive number of wonderful case studies that describe innovative risk management prac- tices in a diverse set of companies around the world. This book should be an extremely valuable source of knowledge for anyone interested in the emerging and evolving field of risk management. We should be grateful to the editors and to each chapter author for expanding the body of knowledge for risk management professionals and academics.

Robert S. Kaplan Senior Fellow, Marvin Bower Professor of Leadership Development, Emeritus

Harvard University



Enterprise Risk Management Case Studies An Introduction and Overview

JOHN R.S. FRASER Senior Vice President, Internal Audit, and former Chief Risk Officer, Hydro One Networks Inc.

BETTY J. SIMKINS Williams Companies Chair of Business and Professor of Finance, Oklahoma State University

KRISTINA NARVAEZ President and Owner of ERM Strategies, LLC

Businesses, business schools, regulators, and the public are now scrambling to catch up with the emerging field of enterprise risk management.

—Robert Kaplan (quote from Foreword in Fraser and Simkins, 2010)

Most executives with MBA degrees were not taught ERM. In fact, there are only a few universities that teach ERM. So some business school graduates are strong in finance, marketing, and management theory, but they are limited in terms of critical thinking, business acumen, and risk analysis skills.

—Paul Walker1

THE EVOLUTION OF ENTERPRISE RISK MANAGEMENT Over the past two decades enterprise risk management (ERM) has evolved from concepts and visions of how risks should be addressed to a method- ology that is becoming entrenched in modern management and is now increasingly expected by those in oversight roles (e.g., governing bodies and regulators). As Felix Kloman describes in his chapter “A Brief History of Risk Man- agement,” published in Fraser and Simkins (2010), many of the concepts go back a very long time and many of the so-called newly discovered techniques can be


2 Implementing Enterprise Risk Management

referenced to the earlier writings and practices described by Kloman. However, it is only from around the mid-1990s that the concept of giving a name to manag- ing risks in a holistic way across the many operating silos of an enterprise started to take hold. In the 1990s, terms such as integrated risk management and enterprise- wide risk management were also used. Many thought leaders, for example, those who created ISO 31000,2 believe that the term risk management is all that is needed to describe good risk management; however, many others believe that the latter term is often used to describe risk management at the lower levels of the organiza- tion and does not necessarily capture the concepts of enterprise-level approaches to risk. As a result, the term ERM is used throughout this book.

As ERM continues to evolve there is still much discussion and confusion over exactly what it is and how it should be achieved. It is important to realize that it is still evolving and may take many more years before it is fully codified and practiced in a consistent way. In fact, there is a grave danger now of believing that there is only one way of doing ERM. This is probably a mistake by regula- tors who have too eagerly seized some of these concepts and are trying to impose them when the methods are not fully understood, and in some cases the require- ments are unlikely to produce the desired results. As Fraser and Simkins (2010) noted in their first book on ERM: “While regulatory interest can force ERM into companies, if not done well, it can become another box-ticking exercise that adds little value.”3

The leading and most commonly agreed4 guideline to holistic risk manage- ment is ISO 31000. However, it should be mentioned that in the United States the COSO 2004 Enterprise Risk Management–Integrated Framework has been the dominant framework used to date. Many organizations are currently adopting one or the other of these frameworks and then customizing them to their own context.

WHY THE NEED FOR A BOOK WITH ERM CASE STUDIES? Following the success of the earlier Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives by Fraser and Simkins (2010), we found through our own teaching experiences, and by talking to others, that there was an urgent need for a university-level textbook of ERM case studies to help educate executives, risk practitioners, academics, and students alike about the evolving methodology. As a result, Fraser and Simkins, together with Kristina Narvaez, approached many of the leading ERM specialists to write case studies for this book.

Surveys have also shown that there is a dire need for more case studies on ERM (see Fraser, Schoening-Thiessen, and Simkins 2008). Additionally, surveys of risk executives report that business risk is increasing due to new technologies, faster rate of change, increases in regulatory risk, and more (PWC 2014). As Paul Walker of St. John’s University points out in the opening quote of the 2014 American Pro- ductivity & Quality Center (APQC) report on ERM, “Most executives with MBA degrees were not taught ERM. In fact, there are only a few universities that teach ERM. So some business school graduates are strong in finance, marketing, and


management theory, but they are limited in terms of critical thinking, business acu- men, and risk analysis skills.” Learning Centered Teaching (LCT), as discussed in Chapter 2, is an ideal way to achieve this. Using LCT and the case study approach, students actively participate in the learning process through constructive reflective reasoning, critical thinking and analysis, and discussion of key issues. This is the first book to provide such a broad coverage of case studies on ERM.

The case studies that follow are from some of the leading academics and prac- titioners of enterprise risk management. While many of the cases are about real-life situations, there are also those that, while based on real-life experiences, have had names changed to maintain confidentiality or are composites of several situations. We are deeply indebted to the authors and to the organizations that agreed so kindly to share their stories to help benefit future generations of ERM practition- ers. In addition, we have added several chapters where we feel the fundamentals of these specialized techniques (e.g., VaR) deserve to be understood by ERM stu- dents and practitioners. Each case study provides opportunities for executives, risk practitioners, and students to explore what went well, what could have been done differently, and what lessons are to be learned.

Teachers of ERM will find a wealth of material to use in demonstrating ERM principles to students. These can be used for term papers or class discussions, and the approaches can be contrasted to emphasize different contexts that may require customized approaches. This book introduces the reader to a wide range of con- cepts and techniques for managing risks in a holistic way, by correctly identifying risks and prioritizing the appropriate responses. It offers a broad overview of the various types of ERM techniques, the role of the board of directors, risk tolerances, profiles, workshops, and allocation of resources, while focusing on the principles that determine business success.

Practitioners interested in implementing ERM, enhancing their knowledge on the subject, or wishing to mature their ERM program, will find this book an abso- lute must resource to have. Case studies are one of the best ways to learn more on this topic.

This book is a companion to Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (Fraser and Simkins 2010). Together, these two books can create a curriculum of study for business students and risk practitioners who desire to have a better understanding of the world of enterprise risk management and where it is heading in the future. Boards and senior leadership teams in progressive organizations are now engaging in building ERM into their scenario-planning and decision-making processes. These forward- looking organizations are also integrating ERM into the business-planning pro- cess with resource allocation and investment decisions. At the business unit level, ERM is being used to measure the performance of risk-taking activities of employees.

As these case studies demonstrate, ERM is a continuous improvement process and takes time to evolve. As can be gleaned from these case studies, most firms that have taken the ERM journey started with a basic ERM language, risk identification, and risk-assessment process and then moved down the road to broaden their pro- grams to include risk treatments, monitoring, and reporting processes. The ulti- mate goal of ERM is to have it embedded into the risk culture of the organization and drive the decision-making process to make more sound business decisions.

4 Implementing Enterprise Risk Management

SUMMARY OF THE BOOK CHAPTERS As mentioned earlier, the purpose of this book is to provide case studies on ERM in order to educate executives, risk practitioners, academics, and students alike about this evolving methodology. To achieve this goal, the book is organized into the following sections:

Part I: Overview and Insights for Teaching ERM Part II: ERM Implementation at Leading Organizations Part III: Linking ERM to Strategy and Strategic Risk Management Part IV: Specialized Aspects of Risk Management Part V: Mini-Cases on ERM and Risk Part VI: Other Case Studies

Brief descriptions of the contributors and the chapters are provided next.

PART I: OVERVIEW AND INSIGHTS FOR TEACHING ERM The first two chapters provide an overview of ERM and guidance on ERM educa- tion. As we have pointed out, education on ERM is crucial and more universities need to offer courses in this area. Our conversations with many ERM educators and consultants highlight how extremely challenging it is to achieve excellence in ERM education.

Chapter 2, “An Innovative Method to Teaching Enterprise Risk Manage- ment: A Learner-Centered Teaching Approach,” offers insights and suggestions on teaching ERM. This chapter covers the concept of flipping the classroom with learner-centered teaching (LCT), distinguishes it from traditional lectures, and describes how it can be used in teaching ERM. The LCT approach emphasizes active student participation and collaboration on in-class activities such as case studies versus the traditional lecture approach. This chapter provides several examples as to how LCT can be applied in teaching ERM, utilizing Fraser and Simkins’ (2010) book. David R. Lange and Betty J. Simkins, both experienced ERM educators, team together to write this chapter. David Lange, DBA, is an Auburn University Montgomery (AUM) Distinguished Research and Teaching Professor of Finance. He has received many prestigious awards for both research and teaching from the University and from several academic associations. He has taught many courses in the area of risk management and has consulted in a significant num- ber of individual and class insurance–related cases in both state and federal court. Betty Simkins, PhD, the Williams Companies Chair of Business and Professor of Finance at Oklahoma State University, is coeditor of this book.

PART II: ERM IMPLEMENTATION AT LEADING ORGANIZATIONS Part II is a collection of ERM case studies that give examples of how ERM was developed and applied in major organizations around the world. Note that there is no perfect ERM case study and the objective is for readers to assess what they believe was successful or not so successful about these ERM programs.


The first case study in this book describes ERM at Mars, Inc. Larry Warner, who is the former corporate risk manager at Mars, Inc. and now is president of Warner Risk Group, describes the ERM program at the company in Chapter 3. Mars is a global food company and one of the largest privately held corporations in the United States. It has more than 72,000 associates and annual net sales in excess of $33 billion across six business segments—Petcare, Chocolate, Wrigley, Food, Drinks, and Symbioscience. Its brands include Pedigree, Royal Canin, M&M’s, Snickers, Extra, Skittles, Uncle Ben’s, and Flavia. With such complex business oper- ations, Mars recognized the importance of providing its managers with a tool to knowledgably and comfortably take risk in order to achieve its long-term goals. Mars business units use its award-winning process to test their annual operating plan and thereby increase the probability of achieving these objectives.

The case study in Chapter 4 entitled “Value and Risk: ERM in Statoil” was writ- ten by Alf Alviniussen, who is the former Group Treasurer and Senior Vice Pres- ident of Norsk Hydro ASA, Oslo, Norway, and Håkan Jankensgård who holds a PhD in risk management from Lund University, Sweden. Håkan is also a for- mer risk manager of Norsk Hydro. In this case study, the authors discuss ERM at Statoil, one of the top oil and gas companies in the world, located in Norway. In Statoil, understanding and managing risk is today considered a core value of the company, which is written into the corporate directives and widely communicated to employees. ERM is thoroughly embedded in the organization’s work processes, and its risk committee has managed the transition from a “silo”-mentality to pro- moting Statoil’s best interests in areas where risk needs to be considered.

Chapter 5, called “ERM in Practice at University of California Health Systems,” is written by their former Chief Risk Officer (CRO), Grace Crickette, who is now the Senior Vice President and Chief Risk and Compliance Officer of AAA Northern California, Nevada, and Utah. The University of California’s (UC) Health System is comprised of numerous clinical operations, including five medical centers that support the clinical teaching programs for the university’s medical and health sci- ence school and handle more than three million patient visits each year. ERM plays an important role at the UC Health System and assists the organization in assess- ing and responding to all risks (operational, clinical, business, accreditation, and regulatory) that affect the achievement of the strategic and financial objectives of the UC Health System.

The descriptive case study in Chapter 6, written by Dr. Mark Frigo from DePaul University and Hans Læssøe, the Strategic Risk Manager of the LEGO Group, provides a great example of integrating risk management in strategy devel- opment and strategy execution at the LEGO Group, which is based on an initiative started in late 2006 and led by co-author Hans Læssøe. The LEGO methodology is also part of the continuing work of the Strategic Risk Management Lab at DePaul University, which is identifying and developing leading practices in integrating risk management with strategy development and execution.

United Grain Growers (UGG), a conservative 100-year-old Winnipeg, Canada- based grain handler and distributor of farm supplies, was an ERM pioneer. Chap- ter 7 called “Turning the Organizational Pyramid Upside Down: Ten Years of Evo- lution in Enterprise Risk Management at United Grain Growers” analyzes the ERM program at United Grain Growers 15 years later. When UGG announced that it had implemented a new integrated risk-financing program in 1999, it received a great deal of attention in the financial press. CFO magazine hailed the UGG

6 Implementing Enterprise Risk Management

program as “the deal of the decade.” The Economist characterized it as a “revo- lutionary advance in corporate finance,” and Harvard University created a UGG case study. While most outside attention focused on the direct financial benefits of implementing the program (protection of cash flow, the reduced risk-capital required, and a 20 percent increase in stock price), scant attention was given to the less tangible and therefore less measurable issues of governance, leadership, and corporate culture—the conditions that enabled such innovation. It was a combi- nation of a collaborative leadership open to new ideas, a culture of controlled risk taking, and active risk oversight by the board that produced a strategic approach to UGG’s risk management process. This chapter is written by John Bugalla, who is the principal of ermINSIGHTS.

John Hargreaves has written Chapter 8 titled “Housing Association Case Study of ERM in a Changing Marketplace.” He has a mathematics degree from Cambridge University and six years strategy consultancy experience at KPMG. This case study features four real-life charitable housing associations in England and Wales, each with a different strategy and risk environment. Simple yet prac- tical tools to assist in risk identification and prioritization are also presented. This case study has two main aims. The first is to help develop an understanding of the importance of ERM in a charitable context, showing that modern charities are often very active organizations that face significant risks. Second, the case aims to illustrate the need for a close relationship between risk assessment and strategy development, particularly in sectors where objectives are defined in social as well as economic terms. Each of the four cases has a different perspective and challenges the student or practitioner to identify and assess the risk and develop possible risk treatments for each.

Chapter 9, “Lessons from the Academy: ERM Implementation in the Univer- sity Setting,” was written by Anne E. Lundquist. She is pursuing a PhD in the Educational Leadership program at Western Michigan University with a concen- tration in Higher Education Administration. This chapter explores the unique aspects of the University of Washington’s (UW) risk environment, including how leadership, goal-setting, planning, and decision-making differ from the for-profit sector. The lack of risk management regulatory requirements, combined with cul- tural and environmental differences, helps explain why there are a limited number of fully evolved ERM programs at colleges and universities. The second half of the chapter explores the decision to adopt and implement ERM at UW, including a description of early decisions, a timeline of how the program evolved, a discus- sion of the ERM framework, and examples of some of the tools used in the risk management process. It traces the evolution of the UW program as well as demon- strates decisions that administrators made to tailor ERM to fit the decentralized culture of a university.

The case study in Chapter 10, “Developing Accountability in Risk Manage- ment: The British Columbia Lottery Corporation Case Study,” demonstrates how ERM was successfully implemented in a Canadian public sector organization over a 10-year period. Jacquetta Goy, author of this chapter, was the Senior Manager, Risk Advisory Services at British Columbia Lottery Corporation and was respon- sible for establishing and developing the ERM program. Currently, Jacquetta is the Director of Risk Management at Thompson Rivers University, Canada. This case study focuses on initiation, early development, and sustainment of the ERM


program, highlighting some of the barriers and enablers that affected implemen- tation. This case study includes a focus on developing risk profiles; the role of risk managers, champions, and committees; and the development of effective risk evaluation tools. The approach to ERM has evolved from informal conversations supported by an external assessment, through a period of high-level corporate focus supported by a dedicated group of champions using voting technology to an embedded approach, where risk assessment is incorporated into both opera- tional practice and planning.

Chapter 11, “Starting from Scratch: The Evolution of ERM at the Workers Com- pensation Fund,” describes the evolution of a formal ERM program at a midsize property casualty insurance carrier. This chapter is authored by Dan Hair, the CRO of the Workers Compensation Fund. In this chapter, the motivations of executive management and the board of directors in taking existing strategic risk manage- ment discussions to a higher level are reviewed. The step-by-step actions taken by the company to develop the ERM program are explained in chronological order. External resources used are also commented upon. The chapter concludes with a discussion of striking an ongoing balance between program rigor, documentation, and business needs.

Chapter 12, “Measuring Performance at Intuit: A Value-Added Component in ERM Programs,” shows how Intuit, maker of Quicken, QuickBooks, and Turbo- Tax, is committed to creating new and easier ways for consumers and businesses to tackle life’s financial chores, giving them more time to live their lives and run their businesses. This case study shows how Intuit, a global company, is exposed to a wide range of customer-related and operational risks. Understand- ing the risk landscape enables Intuit to formulate and execute strategies to address potential pitfalls and opportunities. The author, Janet Nasburg, is Chief Risk Offi- cer at Intuit. Janet is responsible for driving Intuit’s ERM capability, ensuring that the company appropriately balances opportunities and risks to achieve optimal business results. Before Intuit, Janet spent 16 years in various finance roles at Visa, and has more than 30 years of risk management and finance experience.

Chapter 13 describes TD Bank’s ERM program and how it has been developed to reinforce the risk culture and ensure that all stakeholders have a common under- standing of how risks are addressed within the organization. This is achieved by identifying the risks to TD Bank’s business strategy and operations, determining the types of risk it is prepared to take, establishing policies and practices to gov- ern risks, and following an ERM framework to manage those risks. This chapter is co-authored by Paul Cunha and Kristina Narvaez. Paul Cunha is Vice President, Enterprise Risk Management at TD Bank. During his career at TD Bank, he has spent time in risk management, internal audit, retail banking, commercial bank- ing, and corporate and investment banking. Kristina Narvaez is the president and owner of ERM Strategies, LLC, and is co-editor of this book.

PART III: LINKING ERM TO STRATEGY AND STRATEGIC RISK MANAGEMENT Part III of this book demonstrates the link between ERM and strategy in what is now being called strategic risk management (SRM). SRM represents an important evolution in enterprise risk management, shifting from a reactive approach to a

8 Implementing Enterprise Risk Management

proactive approach in dealing with the large spectrum of risks across the organi- zation. These case studies view their risk-taking activities in a strategic way, not only to protect the organization’s value and assets, but also to be able to capture new value that is in alignment with the strategic goals of the organization.

Zurich Insurance Group, the case study in Chapter 14, demonstrates the link between ERM and strategy. Zurich is a global insurance carrier and is exposed to a wide range of risks. Zurich recognizes that taking the right risks is a necessary part of growing and protecting shareholder value. It is careful not to miss valu- able market opportunities that could attract the best talent and investor capital, but must also balance the growth opportunities with the reality that it is operating in a complex world economy. This chapter is co-authored by Linda Conrad, Director of Strategic Business Risk Management at Zurich and Kristina Narvaez, president and owner of ERM Strategies, LLC and co-editor of this book. Linda leads a global team responsible for delivering tactical solutions to Zurich and to its customers on strategic issues such as business resilience, supply chain risk, ERM, risk culture, and total risk profiling.

Chapter 15, “Embedding ERM into Strategic Planning at the City of Edmon- ton,” is written by Ken Baker, who is their ERM Program Manager. This study examines the process used by the City of Edmonton in Alberta, Canada, to estab- lish its strategic ERM model. After examining several existing frameworks, the City decided on a framework based on the ISO 31000 risk management standard, but customized to suit the City’s needs. During the process, administration had to weigh factors common to any large organization, as well as those specific to governments in general and municipalities in particular. The chronicling of this process may assist those in similar organizations to more successfully implement their own ERM and SRM programs.

Chapter 16 describes a brief history of the evolution of enterprise risk management and describes a new and innovative approach (value mapping) to measuring the potential value by taking risks. This chapter also provides a model for incorporating the ERM process into strategic planning. John Bugalla, Principal of ermINSIGHTS and author of Chapter 7, and James Kallman, a finance professor at St. Edward’s University, co-author this chapter. John’s experience includes 30 years in the risk management profession serving as Managing Director of Marsh & McLennan, Inc., Willis Group, Plc., and Aon Corp., before founding ermINSIGHTS. James teaches courses in finance, statistics, and risk management.

PART IV: SPECIALIZED ASPECTS OF RISK MANAGEMENT Part IV of the book captures unique aspects of ERM so that the reader can learn about the many broad applications, including insights into managing specific types of risk. This part starts with a case study in Chapter 17 of the challenges of risk management within a typical police department. This case is followed by eight additional chapters addressing other intriguing aspects of risk management.

Andrew Graham reveals the complex and challenging aspects of risk manage- ment in Chapter 17, “Developing a Strategic Risk Plan for the Hope City Police Ser- vice.” This fictional case study was developed based on many years of teaching risk management to police forces. The setting is a medium-sized but growing city that


is facing many issues, including changes in demographics, traffic issues, budgetary challenges, and so on. The student is required to act as a consultant who has been hired by the chief of police to assist him in briefing the Police Services Board and the mayor in understanding the most critical risks to their objective of having a best- in-class police service for their citizens. Andrew Graham researches, teaches, and writes on public-sector management, financial management, integrated risk man- agement, and governance at Queen’s University School of Policy Studies, Canada, as well as a variety of international and Canadian venues. Andrew had an exten- sive career in Canada’s criminal justice system and has taught and worked with police services and police boards and commissioners in a variety of ways for the past 10 years.

Chapter 18, “Blue Wood Chocolates,” is designed to facilitate discussion of the implementation of an ERM framework, corporate governance issues, and com- modity risk management. The situation that this fictional company faces is typi- cal of many midsize companies that have performed satisfactorily in the past but are exposed, often unknowingly, to major potential risks and do not have the internal governance and risk management structures to identify, quantify, and manage such risks adequately. In particular, this case illustrates commodity and foreign currency exposures, and challenges the student to investigate the specifics of hedging such positions. Rick Nason, PhD, CFA, and Stephen McPhie, CA, coau- thored this chapter. Rick is an associate professor of finance at Dalhousie Univer- sity, Canada, and is also a founding partner of RSD Solutions, a risk management consultancy firm. His coauthor, Stephen McPhie, CA, is a partner of RSD Solu- tions Inc. and has also held various positions in the United States, Canada, and the United Kingdom with a major Canadian bank.

Foreign exchange (FX) risk management is one of the greatest financial risks a company faces when expanding globally. Chapter 19, “Kilgore Custom Milling,” illuminates the myriad of issues that arise when hedging FX risk, such as faced by a midsize original equipment manufacturer (OEM) operating in the automobile industry. Kilgore Custom Milling (a fictional company) needs to develop a hedg- ing strategy to manage its foreign exchange risk for a new contract and decide what type of derivatives to use, what size of hedge to implement, and how the com- pany’s financial risk management fits in with its overall ERM process. Rick Nason and Stephen McPhie, coauthors of Chapter 18, team together again to explore the complex and challenging issues that many companies face with FX risk.

ERM is currently of very high interest to companies operating in the Mid- dle East, an area that presents unique challenges for implementation. Alexander Larsen captures this scenario in Chapter 20, “Implementing Risk Management within Middle Eastern Oil and Gas Companies.” This case study is based on real- life examples of Middle Eastern oil and gas companies and captures the challenges of implementing risk management in the Middle East. Alexander Larsen holds a degree in risk management from Glasgow Caledonian University and is a Fellow of the Institute of Risk Management. He has over 10 years of experience across a wide range of sectors, including oil and gas, construction, utilities, finance, and the public sector. Alexander has considerable expertise in training and working with organizations to develop, enhance, and embed their ERM.

Public safety organizations are increasingly adopting sophisticated enterprise governance and risk management techniques as a means of managing their

10 Implementing Enterprise Risk Management

programs and expenditures. Root cause analysis can provide these agencies with detailed insights into the problems and issues they face, and provide them with the information they need to make informed decisions on risk management. Chapter 21, “The Role of Root Cause Analysis in Public Safety ERM Programs,” explores these issues by presenting six common root cause analysis techniques that are applied in a public safety or law enforcement environment. The chapter author, Andrew Bent, is a practicing risk manager with a large Canadian inte- grated energy company and was previously in charge of ERM for one of Canada’s largest municipal police services.

Chapter 22, “JAA Inc.—A Case Study in Creating Value from Uncertainty: Best Practices in Managing Risk,” provides extensive details about ERM implementa- tion in a fictional international organization and discusses topics including gover- nance structure, the processes, and the various tools used. The case is built on the principles and guidance of ISO 31000 and the implementation guidance created by The Australian and New Zealand Hand Book HB 436. This case emphasizes the roles of the heads of the internal audit function and the risk management func- tion. The three coauthors of this chapter have extensive experience in risk man- agement. Julian du Plessis, Head of Internal Audit at AVBOB Mutual Assurance Society, South Africa, has over eight years of financial sector experience. Arnold Schanfield is a Principal with Schanfield Risk Management Advisors LLC, and is an internal audit and risk professional with diversified industry expertise. Alpaslan Menevse is currently the Risk Officer at Sekerbank T.A.S., which has in excess of 310 branches in Turkey. He has 28 years of experience in information systems, both as an academic and as a practitioner.

A book on ERM case studies is not complete without some coverage of risk management failures. One of the most famous failures involving opera- tional risk is discussed in Chapter 23, “Control Complacency: Rogue Trading at Société Générale.” In January 2008, Société Générale uncovered €49 billion of unauthorized equity positions at its Paris head office, which cost €4.9 billion to unwind. Using an interactive format, this case study analyzes the origins, actors, causes, and consequences of this notorious control breakdown and derives risk management lessons from it in the areas of corporate governance, controls, com- pliance, systems, technology, and reputation risk. The author, Steve Lindo, Princi- pal, SRL Advisory Services, has many years of experience in ERM and provides a thorough and fascinating coverage of this disaster.

Value at risk (VaR) is one of the most widely used techniques to measure financial risks, particularly in the area of investment portfolios. However, it is a technique that has not been fully understood by many risk managers. In Chapter 24, “The Role of VaR in Enterprise Risk Management: Calculating Value at Risk for Portfolios Held by the Vane Mallory Investment Bank,” VaR is described along with its underlying assumptions, advantages, and disadvantages. Several exam- ples for single assets are detailed for both the dollar and percentage VaR estimation methods. The main focus of this case study is a tutorial on calculating VaR for port- folios of assets using the covariance approach utilized in portfolio theory. Allissa A. Lee coauthored this case study with Betty J. Simkins. Allissa is an assistant professor of finance in the College of Business Administration at Georgia South- ern University. She has published several academic articles and also worked in the mortgage industry for MidFirst Bank. Betty, coeditor of this book, is the


Williams Companies Chair of Business and Professor of Finance at Oklahoma State University.

Chapter 25, “Uses of Efficient Frontier Analysis in Strategic Risk Manage- ment,” covers an advanced analytical technique, efficient frontier analysis (EFA), where complex property and casualty risk profiles are being considered. This chap- ter provides insights into risk portfolio volatility, pricing, and insurance layering efficiency using EFA and is applied to a risk portfolio that presents catastrophic loss potential within the context of strategic risk management. This chapter’s coau- thors are Ward Ching, who is Vice President, Risk Management Operations, at Safeway Inc., and Loren Nickel, who is Regional Director and Actuary, Actuarial and Analytics Practice, at Aon Global Risk Consulting. Both authors have extensive experience in property and casuality risk management and share their expertise in this specialized topic of ERM.

PART V: MINI-CASES ON ERM AND RISK Mini-cases are a very powerful and highly useful resource in teaching ERM and can be easily utilized in short time periods such as a one-hour class segment. This part fills this gap in the education literature on ERM and includes six fictional mini- cases that have been developed by leading risk practitioners who draw from the wealth of their experiences in various applications of risk management.

Chapter 26, “Bim Consultants Inc.,” is based on a real event in which a company was faced with an important strategic acquisition decision. All names and data have been changed for confidentially reasons. The purpose of the case is to illustrate the complexity of making strategic decisions and how greed and ego can cause a firm to change strategy that may put the business at risk. The author, John Fraser, Senior Vice President, Internal Audit, and former Chief Risk Officer of Hydro One Networks Inc., is also coeditor of this book. Fraser is currently an adjunct professor at York University, Canada, and a member of the faculty of the Directors College. He is a recognized authority on ERM and has written extensively on the topic.

Chapter 27, “Nerds Galore,” is based on a fictitious small services company that appears to be on the verge of a major downturn. The focus of the case study is human resources–related risks, and the exercise is to conduct a risk assessment to aid in making the decision on whether to proceed with a major human resources strategy. This case study could be used as the basis for an actual risk workshop sim- ulation with students role-playing various positions on the management team. Rob Quail, the author of this case study, draws on his extensive experience as Director of ERM at Hydro One Networks Inc., and provides an excellent mini-case to illu- minate ERM applications.

Can a company have a successful ERM program that does not involve a key function, such as the legal department? And if not willing to participate, how do you convince this department to commit to ERM? The reader is challenged with tackling this crucial issue in Chapter 28, “The Reluctant General Counsel.” This mini-case is about the implementation of ERM at a software company and illus- trates the challenges faced when the general counsel of the company has reser- vations and is not willing to support the implementation. The author, Norman Marks, CPA, CRMA, has been chief audit executive of major global corporations

12 Implementing Enterprise Risk Management

for over 20 years, and is highly regarded in the global profession of internal audit- ing. Furthermore, he is a prolific blogger about internal audit, risk management, governance, and compliance.

Chapter 29, “Transforming Risk Management at Akawini Copper,” describes how the approach to managing risk can be transformed and enhanced in a com- pany. The case study is based on a hypothetical mining company, Akawini Copper, that has recently been acquired by an international concern. It draws on the practi- cal concepts of ISO 31000 to show how a weak approach to risk management can be enhanced to be more robust and comprehensive by following a logical framework and transformation plan. The author, Grant Purdy, has worked in risk manage- ment for more than 35 years, across a wide range of industries and in more than 25 countries. Grant is coauthor of the 2004 version of AS/NZS 4360 and also of AS/NZS 5050, a standard for managing disruption-related risk, and has also writ- ten many risk management handbooks and guides.

Richard Leblanc, PhD, who is a governance lawyer, certified management con- sultant, and Associate Professor of Law, Governance, and Ethics at York Univer- sity, draws on his extensive experience in board of director effectiveness when writing Chapter 30, “Alleged Corruption at Chessfield: Corporate Governance and the Risk Oversight Role of the Board of Directors.” Richard has advised regula- tors on corporate governance guidelines, and, as part of his external professional activities, has served as an external board evaluator and governance adviser for many companies, as well as in an expert witness capacity in litigation concerning corporate governance reforms. This case deals with the inner workings of a large organization’s board of directors, including allegations of alleged corruption and self-dealing, and provides the reader with a captivating application of risk man- agement shortcomings in governance and internal controls.

Diana Del Bel Belluz, president and founder of Risk Wise, Inc., draws on her experience in operational risk when writing Chapter 31, “Operational Risk Man- agement Case Study: Bon Boulangerie.” This mini-case provides the opportunity for students to discuss and present their knowledge of operational risk. It describes the challenges and opportunities faced by a fictional bakery business in a small city. The bakery’s owner has decided to expand the business for greater rewards, but in doing so is faced with a number of operational challenges. Additional infor- mation on the steps of operational risk management is available in Chapter 16 in Fraser and Simkins (2010). Diana has many years of consulting experience in ERM, and advances the practice of ERM through her thought leadership as an educator, conference organizer, speaker, and author of ERM resources.

PART VI: OTHER CASE STUDIES Many risk management lessons can be learned from the financial crisis of 2008, and we begin this part with a chapter addressing this topic: Chapter 32, “Con- structive Dialogue and ERM: Lessons from the Financial Crisis.” In this chapter, Tom Stanton eloquently examines the critical distinctive factors between success- ful and unsuccessful firms in the crisis and refers to the presence or absence of these factors as constructive dialogue. Successful firms managed to create produc- tive and constructive tension between those in the firm who wanted to do deals or offer certain financial products and services and those who were responsible for


limiting risk exposures. Instead of simply deciding to do a deal or not, successful firms considered ways to hedge risks or otherwise reduce exposure from doing the deal. Thomas H. Stanton is a Fellow of the Center for Advanced Governmen- tal Studies at Johns Hopkins University, a director of the Association of Federal Enterprise Risk Management, a former director of the National Academy of Public Administration, and a former member of the federal Senior Executive Service.

An important objective in this book is to provide global coverage about ERM by including insightful applications in various countries. Poland, after the transi- tion into the free market economy in 1989, became open to knowledge and transfer of the best practices from around the world. Chapter 33, “Challenges and Obstacles of ERM Implementation in Poland,” draws on years of research, both formal and informal, and documents the country’s first approaches to ERM implementation. The successes, challenges, and weaknesses are described and provide a valuable lesson for other countries, regions, or even organizations in how they might go about implementing ERM. Two experts on ERM implementation in Poland teamed together to write this chapter. Zbigniew Krysiak, PhD, is an associate professor of finance at the Warsaw School of Economics in Poland. He is the author or coau- thor of more than 100 publications, intended both for practitioners and for the aca- demic community, concerning finance, risk management, financial engineering, and banking. His coauthor, Sl̄awomir Pijanowski, PhD, is president of the POL- RISK Risk Management Association in Poland, where he is responsible for devel- opment of good risk management practices for the Polish market. He is coauthor of the Polish book titled Risk Management for Sustainable Business published by the Polish Ministry of the Economy and has many other accomplishments in the area of risk management.

Chapter 34 entitled “Turning Crisis into Opportunity: Building an ERM Pro- gram at General Motors” was written by leaders of ERM at GM—Marc Robinson, Lisa Smith, and Brian Thelen. This case study chronicles the ground-up implemen- tation of ERM at General Motors Company (GM), starting in 2010 after it emerged from bankruptcy. While GM recognizes that its ERM is a work in progress, there have been important successes both in improving the management of risk and making better business decisions. Critical to these successes has been a clear strate- gic vision on adding value for the business leaders that are the true risk owners, unique decision tools such as game theory, and a continuous improvement mind- set, including robust lessons learned. The study describes the lessons learned dur- ing implementation and some of the unique approaches, tools, and techniques that GM has employed. Examples of senior management reporting are also included.

The last case study in the book is also extremely insightful because it provides an excellent example of an ERM application at a company in Asia. The authors demonstrate in Chapter 35 how Astro, a Malaysia-based media company, uses ERM to grow through international acquisitions, and how it implements enter- prise risk management not only to ensure sound risk management by its foreign subsidiaries and joint ventures, but also to make better risk/return decisions on its portfolio of direct investments. Both authors are authorities on ERM imple- mentation globally. Ghislain Giroux Dufort is President of Baldwin Risk Strate- gies Inc., a consulting firm advising boards of directors and management teams on risk governance and ERM and has over 25 years of experience. Patrick Adam Kanagaratnam Abdullah is the Vice President of ERM for Astro Overseas Limited

14 Implementing Enterprise Risk Management

(AOL), Malaysia. He specializes in the implementation of ERM practices across AOL’s investments and has over 21 years of experience in various areas of risk management.

CONCLUSION As outlined above, the case studies and specialized topic chapters in this book present an impressive coverage of new information on enterprise risk manage- ment, and all chapters are written by leading ERM experts globally. To our knowledge, this is the first book to be published that provides such comprehensive coverage of ERM case studies. We hope you find this book a valuable resource in your education and/or implementation of ERM. We welcome your comments and suggestions. Answers to the end-of-chapter questions and detailed teaching notes to most cases are available to instructors at

NOTES 1. See the 2014 American Productivity & Quality Center Report. 2. ISO 31000 was issued by the International Standards Organization in 2009. For a descrip-

tion refer to Chapter 7 of Fraser/Simkins by John Shortreed. 3. Fraser/Simkins, 15. 4. ISO 31000 has been agreed to by about 25 major countries of the international community

as the guideline for risk management.

REFERENCES American Productivity & Quality Center (APQC). 2014. APQC Report. Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading

Research and Best Practices for Tomorrow’s Executives. Hoboken, NJ: John Wiley & Sons. Fraser, John, Karen Schoening-Thiessen, and Betty J. Simkins. 2008. “Who Reads What Most

Often? A Survey of Enterprise Risk Management Literature Read by Risk Executives.” Journal of Applied Finance 18:1 (Spring/Summer).

PWC (PricewaterhouseCoopers). 2014. Risk in Review: Re-Evaluating How Your Company Addresses Risk. review-transformation-management.jhtml.

ABOUT THE EDITORS John R.S. Fraser is the Senior Vice-President, Internal Audit, and former Chief Risk Officer of Hydro One Networks Inc., Canada, one of North America’s largest elec- tricity transmission and distribution companies. He is a Fellow of the Institute of Chartered Accountants of Ontario, a Fellow of the Association of Chartered Cer- tified Accountants (U.K.), a Certified Internal Auditor, and a Certified Informa- tion Systems Auditor. He has over 30 years of experience in the risk and control field mostly in the financial services sector, including areas such as finance, fraud, derivatives, safety, environmental, computers, and operations. He is a member of the Faculty at the Directors College for the Strategic Risk Oversight Program, and has developed and teaches a master’s degree course entitled Enterprise Risk


Management in the Masters in Financial Accountability Program at York Univer- sity where he is an adjunct professor. He is a recognized authority on enterprise risk management and has co-authored several academic papers on ERM. He is co- editor of a best-selling university textbook released in 2010, Enterprise Risk Man- agement: Today’s Leading Research and Best Practices for Tomorrow’s Executives.

Betty J. Simkins, PhD, is Williams Companies Chair of Business and Professor of Finance at Oklahoma State University. Betty received her PhD from Case Western Reserve University. She has had more than 50 publications in academic finance journals. She has won awards for her teaching, research, and outreach, including the top awards at Oklahoma States University: Regents Distinguished Research Award and Outreach Excellence Award. Her primary areas of research are risk management, energy finance, and corporate governance. Betty serves on the edi- torial boards of nine academic journals, including the Journal of Banking and Finance; is past coeditor of the Journal of Applied Finance; and is past president of the East- ern Finance Association. She also serves on the Executive Advisory Committee of the Conference Board of Canada’s Strategic Risk Council. In addition to this book, she has published two others: Energy Finance and Economics: Analysis and Valuation, Risk Management and the Future of Energy and Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (co-edited with John Fraser). Prior to entering academia, she worked in the corporate world for Cono- coPhillips and Williams Companies. She conducts executive education courses for companies globally.

Kristina Narvaez is the president and owner of ERM Strategies, LLC (www.erm-, which offers ERM research and training to organizations on vari- ous ERM-related topics. She graduated from the University of Utah in environmen- tal risk management and then received her MBA from Westminster College. She is a two-time Spencer Education Foundation Graduate Scholar from the Risk and Insurance Management Society and has published more than 25 articles relating to enterprise risk management and board risk governance. She has given many presentations to various risk management associations on topics of ERM. She is an adjunct professor at Brigham Young University, teaching a business strategy course for undergraduates.


Overview and Insights for Teaching ERM


An Innovative Method to Teaching Enterprise Risk Management A Learner-Centered Teaching Approach

DAVID R. LANGE Distinguished Research and Teaching Professor of Finance, Auburn University Montgomery

BETTY J. SIMKINS Williams Companies Chair of Business and Professor of Finance, Oklahoma State University

Learner-centered teaching (LCT), commonly referred to as “flipping the class-room” (Shibley and Wilson 2012), is an alternative to the traditional teacherlecture (TL). With LCT, students actively participate in the pedagogical pro- cess and take increased responsibility for learning through constructive reflective reasoning. Where with TL content is covered, content in LCT is used as a “means to learning” (Weimer 2002). LCT is ideally suited for content provided in lists, tables, charts, and exhibits, and particularly so if these are in the form of topic overviews, flowcharts, or summaries. The case method espouses similar student- engaged learning processes by promoting critical thinking and analysis, creating discussion of conflicting issues and requiring a decision (Bean 2011). LCT ampli- fies and broadens student learning from cases. Hence, the case studies in this book are ideal for teaching enterprise risk management (ERM) using LCT.

The chapter is presented in three sections. The first section clarifies the concept of flipping the classroom with LCT, distinguishing LCT from a TL, and why the growing LCT movement should be joined. The second section considers the what, Weimer’s (2002) Learner Centered Teaching “Five Key Changes to Practice,” a definitive paradigm for changing pedagogy to LCT from a TL. A final section, the appendix, provides examples of how, using content to utilize LCT in an enterprise risk management (ERM) course at Auburn University Montgomery. The examples are from Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (Fraser and Simkins 2010), which opportunely provides ERM content in the supporting formats. The LCT examples are provided in


20 Implementing Enterprise Risk Management

Exhibit 2.1 TL versus LCT

Bloom (1956) Anderson and Krathwohl (2001) Expanded

� Knowledge � Comprehension � Application � Analysis � Evaluation � Synthesis

� Remember: Recognize, recall � Understand: Interpret, explain � Apply: Calculate, solve � Analyze: Distinguish, relate � Evaluate: Critique, test � Create: Hypothesize, devise

� Memorize, recollect, retain � Comprehend, realize, apprehend � Compute, estimate, determine � Examine, explore, study, associate � Assess, appraise, review, comment � Speculate, theorize, postulate, offer,

imagine, assume, suggest

contrast to TL approaches, and include learning notes expanding the how of examples.

LEARNER-CENTERED TEACHING: THE WHY Flipping the classroom refers to Bloom’s Cognitive Learning Taxonomy (1956), a commonly accepted identification of levels of learning (Anderson and Krathwohl 2001; Bean 2011; Shibley and Wilson 2012), and thus an easily identifiable model with which to distinguish LCT from TL. Exhibit 2.1 has inverted Bloom’s taxon- omy to illustrate flipping the classroom. In a TL, the teacher normally progresses through the taxonomy starting with imparting knowledge:

� Knowledge: covering content with PowerPoint presentations, lecturers, and so on

� Comprehension: offering alternative descriptions and definitions, followed by a question of “What does this mean in your own words?”

� Application: solving problems step-by-step, demonstrating necessary calcu- lations, and solving homework problems replicating calculations

� Analysis: comparing and explaining results from different problems � Evaluation: questioning validity of assumptions, processes, and textbook

sections on weaknesses in the model � Synthesis: concluding with summaries and overviews

We may recognize the TL approach from our own experience or through class- room observation of peers.

To further illustrate the levels of learning, Anderson and Krathwohl’s (2001) revision of Bloom’s taxonomy is included in the center column of Exhibit 2.1. The third column contains an expanded list of active learning for additional clarification.

Learner-Centered Teaching

In LCT, content is used as a means to learning (Weimer 2002). Envision a learning process in which students compute a financial problem, examine different points of view, review and comment on an article, or postulate explanations for survey


results. The knowledge (content) is discovered and used by the students in the learning process. Content in LCT is used as a means to learning (Weimer 2002), not presented and covered as in the context of a TL. In effect, as the examples will demonstrate, LCT enters Bloom’s Cognitive Learning Taxonomy through the higher levels of application, analysis, evaluation, and synthesis.

Why LCT?

A primary explanation for education moving toward LCT is based on learning research that supports “more active, inductive instruction” (Smart, Witt, and Scott 2012). Increased student engagement, strengthened team-based skills, personal- ized student guidance, focused classroom discussion, and faculty freedom are sev- eral benefits of the growing LCT pedagogical adoption (Millard 2012). In a review of pedagogical literature with courses adopting LCT, Wright (2011, p. 96) found college teachers believe “a more effective learning environment” was provided, and “students tended to respond positively.” A smaller study by Wohlfarth et al. (2008) acknowledged the need for further research and offered strong qualitative student support of LCT’s importance in assisting learning.

There are several other reasons why LCT should be adopted. In a paper apply- ing 29 components to benchmark the degree of LCT implementation, Blumberg and Pontiggia (2011) note the importance of LCT in their institutions’ faculty devel- opment workshops, the implications for assessments and accreditation, and poten- tial student admission promotional material. Yang (2010, p. 80) offers a globaliza- tion justification to adopt LCT, the need to “encourage students to actively partici- pate in the discussion, and the need for students to fully express their views,” even if it is counter to student cultural behavior.

Poor teaching experience with the TL is another supporting reason for LCT. The prepared TL covering knowledge, with students attempting to retain and simultaneously comprehend key points, may appear more as a sermon, speech, homily, or oration. Instructors, from their own experience or through classroom observation of peers, may relate to the “picture of somewhat lifeless students sit- ting passively in classrooms, with glazed eyes, some struggling to stay awake in dimmed classrooms as an instructor shared key concepts . . . using slides” (Smart, Witt, and Scott 2012, p. 393).

The educational goal is to engage students to become active versus passive learners by promoting critical thinking and “emphasizing inquiry” (Bean 2011, p. 38). LCT’s flipped classrooms focus on critique, assess, hypothesize, and speculate, the higher levels of Bloom’s Cognitive Learning Taxonomy. The base levels of knowl- edge and understanding may be assigned before class (Shibley and Wilson 2012).

FIVE KEY CHANGES TO PRACTICE THE WHAT Weimer’s Learner Centered Teaching (2002) “Five Key Changes to Practice” is a definitive paradigm for changing pedagogy to LCT. This section describes each of these “Five Key Changes to Practice,” which are:

1. The Balance of Power 2. The Function of Content

22 Implementing Enterprise Risk Management

3. The Role of the Teacher 4. The Responsibility for Learning 5. Evaluation Purpose and Process

Consideration of the five steps with each of the LCT ERM examples paradoxi- cally resembles the TL approach. Therefore, instructors are encouraged to appraise their current pedagogy and associate the respective LCT changes to practice with their course. To assist your movement to LCT, Weimer’s (2002) Part Two, “Imple- menting the Learner-Centered Approach,” includes discussions of responding to resistance from students and faculty, taking a developmental approach in convert- ing students from passive to active learners, and making LCT work based on prin- ciples of successful instructional improvement. Appendixes in Weimer (2002) offer suggestions for the syllabus and learning log (Appendix A), handouts for devel- oping learning skills (B), and a recommended reading list (C). Blumberg (2009) provides an extensive step-by-step guide to adopting LCT.

The Balance of Power

The LCT classroom is more democratic than the TL, where sequencing, con- tent, and information flow are one-way: professor to student. With LCT, stu- dents actively participate in the learning process and are likely to alter its direc- tion by connecting to prior tangential or experiential knowledge. Generally, the teacher retains the responsibility for selecting the course content, learning goals, and itinerary, though even these may include student input. Regardless, with LCT, the learning path taken, the direction of course discussion, and practical exam- ples are at the very least influenced, and more likely chosen, by the student; thus “power is shared” (Weimer 2002).

LCT often includes case studies, small group discussions or assignments, and/or designating a student to be a group discussion leader on a rotating basis. Power sharing is not easy for teachers accustomed to a TL approach. But LCT power sharing has several benefits. Students are more active, engaged, interested, and motivated, and less passive and disconnected (Weimer 2002, p. 31). It is easier for a student to hide in a class of 30, 50, or 100 than in a group of five students. It should be noted that the student discussion leader is equally asked to “share the power,” and there are potential “tough spots for running a risk management workshop”—nonparticipation and dominators (Fraser and Simkins 2010, p. 169).

The Function of Content

With LCT, content is used in the learning process, not covered in the context of the TL. This does not infer that the content, base knowledge, is not covered. It sim- ply means that students do not first memorize the base knowledge for later recall. Instead, students constructively examine, explore, review, and assess content. It is extremely interesting to see students strongly arguing for the most important step in an ERM process even when there may not actually be a hierarchy. Creating and defending an argument for the most important step, what risk stands out, or what is the most challenging step requires a cognitive reasoning process and a subtle incorporation of base knowledge and linkage to previously learned material—the


LCT version of content coverage. With LCT, the content learning process “develops learning skills” and “promotes self-awareness of learning,” and students “experi- ence it firsthand” (Weimer 2002, p. 51–52).

The amount of content covered is a possible concern for those more inclined toward a TL. However, contrary to expectations, experience suggests that more content is covered, not less, as students explore and assess content versus memorization.

As shown in the Appendix, Example #10, Chapter 18: “Managing Financial Risk,” is a good illustration of more coverage. The TL approach gives an example of the trade-offs, costs, and benefits of hedging with futures contracts, often start- ing with a simple natural hedge. Here, the student records the respective payoffs to long and short positions when prices change. Students memorize the transactions and expect to replicate the steps with different numbers, and maybe even a dif- ferent futures contract for a challenging TL course. With LCT, students first view a short video about futures markets (, and then review the listing of available futures contracts, selected quotes, and specifications. LCT sce- narios in which futures contracts could be applied quite often begin with weather futures, as students’ curiosity is awakened when they imagine rain, snow, and tor- nadoes, not the TL farmer and cereal producer with corn futures. With LCT, stu- dents first suggest, appraise, and associate scenarios with futures contracts, and then calculate payoffs given the contract specifications. As noted previously, the LCT teacher needs to be prepared to assist with any futures calculation.

A second example in the Appendix of expanded content is Example #13, Chapter 23: “Academic Research on Enterprise Risk Management.” In a TL course, students would memorize the articles and the findings of each, with the goal of restating the findings on an exam. With LCT, critiquing, appraising, and theorizing often lead to discussions of hypotheses. For example, why is there an expected rela- tionship between ERM and “organizational slack” or “asset opacity” (Fraser and Simkins 2010, p. 426)? This level of hypothetical discussion is considerably beyond “Who found what?”

The Role of the Teacher

Perhaps the most difficult change in moving to LCT for a teacher accustomed to the TL is that lectures are replaced with individual student learning, small group discussions, or other group activities. The teacher’s role is that of a moderator, tour guide, and/or facilitator of learning. This role is a necessary part of LCT, not an option; the teacher “must move aside, often and regularly” (Weimer 2002, p. 74).

Serving as guide extends to after groups (or individuals) report their sugges- tions, hypotheses, comments, explorations, or computations. It is very tempting to return to the TL, the “sage on the stage,” with corrections, conclusions, or examples. A moderator or facilitator would ask: Was your group in agreement? What issues did you differ on? What do you believe is the lesson here, the point to be learned? Does anyone else have a different solution or computation?

Granted, the teacher’s workload may be more, not less. We often prepare, or receive with the textbook, a series of very structured lecture slides, “talking PowerPoints,” demonstrating what and how much we know about the topic. Our thorough, insightful, wise lecture is interrupted only by the proverbial

24 Implementing Enterprise Risk Management

unanswered inquiries of: Does anyone have any questions? Is this clear? Do you understand?

It is quite another task to be able to guide constructive explorative reasoning and learning. It is not that LCT is without structure; it is that the LCT learning struc- ture is flexible, fluctuating, adjustable, and often unpredictable. Weimer (2002, pp. 83–91) offers the following seven principles:

1. Teachers do learning tasks less. 2. Teachers do less telling; students do more discovering. 3. Teachers do more design work. 4. Faculty do more modeling. 5. Faculty do more to get students learning from and with each other. 6. Faculty work to create climates for learning. 7. Faculty do more with feedback.

The “Useful Facilitation Tips” for running a risk management workshop (Fraser and Simkins 2010, p. 169) may serve a dual purpose as student content and LCT advice:

� Inquire. Ask open-ended questions, such as “Why?” Ask participants to speak not just on behalf of themselves but about what they think others might be thinking. Ask for the contrary view: “What are some of the argu- ments against this?” Ask for evidence: “How do you know?”

� Restate. Summarize or paraphrase what you have just heard. Summarize the key points and then ask someone to add to them or comment on them or contradict them.

� Provoke. State extreme views that you might have heard or imagined on the subject under discussion. Encourage healthy debate.

� Use silence. After asking a question that gets no immediate response, it is extremely tempting to fill the silence by talking more or restating the ques- tion. Don’t. Wait through the silence. If you wait long enough, someone will speak.

� Get out of the way. If a good animated discussion starts to happen that is directly on topic and there is available time, try to “blend in with the fur- niture.” Walk to the side of the room or sit down. Let the students run with it. Wait for the discussion to peter out or drift off topic before again making your presence felt.

� Don’t overexplain. The authors’ experience is that the more participation (and less explanation or lecturing) there is in a workshop agenda, the more engaged the participants will be. Avoid lengthy descriptions of the steps to be taken or the underlying theory. Tell them the bare bones of what they need to do for the next step in the process, and then let them learn by doing.

The Responsibility for Learning

Teachers remain responsible for creating a learning environment, but students take responsibility for learning (Weimer 2002). Many of the example questions, exercises, and activities provided in the appendix were created by students in the


ERM course. Students on a rotating basis provide discussion questions and serve as small group moderators. Student small group moderators are encouraged to have every student engage in the discussion process, limiting individual students who may try to dominate, and motivating timid students. Engaged students accept the linkage between their actions and learning. Misbehavior is better corrected by peers who see that learning is being prevented than by teacher retribution.

Students are also responsible for contributing to course content, further engag- ing their interest and ownership of the responsibility for learning. For example, in the Appendix, the tornado incident at the truck yard in LCT Example #6, Chapter 13: “Quantitative Risk Assessment in ERM,” was found by a student. The student was delighted to share the discovered risk example, as other students accepted a challenge to find additional videos of the incident or similar catastrophic events. The whistle-blowing websites and information in LCT Example #12, Chapter 20: “Legal Risk Post-SOX and the Subprime Fiasco,” were also found by students. The content served as a basis for spirited group discussions on whistle-blowing. Con- sider the benefit of 30 students searching and exploring the web for current content versus the teacher presenting a few selected sites in a TL. Avoid the classic student statement, “That seems like a good example, but I cannot quite relate to it. It was before I was born.”

Evaluation Purpose and Process

It reasonably follows that LCT also results in a change in evaluation procedures, essentially orienting the evaluation process to promote learning. LCT does not reduce the importance of evaluations and the structural value of course grades. LCT does alter the focus of evaluations to learning, as grades do not necessarily reflect the desired higher-level learning, especially if exams only measure recall and rote memorization of base knowledge.

It is not a straightforward change for evaluations to emphasize learning. Accordingly, Weimer (2002) considers the opportunities in greater detail:

� As a foundation to reduce the stakes and stress of the exam, provide review sessions, make sure exams reflect covered content, offer multiple opportu- nities, or have exams taken as a group.

� For papers, suggest appropriate paper topics, and clearly state academic cov- erage expectations.

� Develop participation through both self and peer assessment. � Utilize review sessions at the end of classes and prior to exams as learning

exercises, allowing groups to summarize important content and topics that are expected to be on the exam.

� Avoid returning to the TL in the review, however tempting and accidentally reverted to it may be.

� Continue LCT into the postexam review by encouraging students to sup- port answers they argue are correct, citing content or their reasoning pro- cess. How often, when a student states that answer C seems to be correct, we respond with “Sorry, B is the only correct answer.” Imagine the different response of “Why do you think C is correct?” Place the emphasis on learning, and we may sometimes discover that answer C may also be correct.

26 Implementing Enterprise Risk Management

CONCLUSION Overall, movement toward LCT may not be as large a pedagogical change as one may be concerned about, and case study teaching is a type of LCT. The goals of the TL generally rely on Bloom’s (1956) original taxonomy or Anderson and Krath- wohl’s (2001) meta cognitive revision—striving for evaluation and synthesis. Pro- grams to improve critical thinking and active learning through writing (Bean 2011) also cite Bloom’s taxonomy. So the TL and LCT approaches both have the desired educational cognitive learning theory goals of evaluation and synthesis.

Top-down instruction and hands-on methods of learning have been around for some time, emphasizing why, what, and then how. This pedagogy has included preparing students for learning, activating relevant knowledge, gaining students’ attention, aids to understanding, promoting meaningful processing, and direct- ing and maintaining attention (Steinberg 1991). In essence, when evaluation and synthesis are achieved, students know the why and the what, which leads to how. Knowing only how, including knowledge, comprehension, and application, does not necessarily lead to evaluation and synthesis.

If we want to increase student engagement, strengthen team skills, and use content for learning rather than covering content for recall, LCT offers pedagogical advantages over the TL.

We want students to examine, explore, study, associate, assess, appraise, review, comment, speculate, theorize, postulate, offer, imagine, assume, suggest, and hypothesize. Observing student success is extremely rewarding and encouraging, good reasons to create a learner-centered environment versus a teacher-dominated lecture.

QUESTIONS 1. Which of Maryellen Weimer’s classic Learner Centered Teaching (2002), “Five Key Changes

to Practice” do you feel is the most important and/or challenging? Why? (a) The Balance of Power (b) The Function of Content (c) The Role of the Teacher (d) The Responsibility for Learning (e) Evaluation Purpose and Process

2. Given the importance of globalization, how would you approach adopting LCT even if it is counter to your student’s cultural behavior?

3. What techniques and/or guidelines do you envision to change your role as a teacher, to “step out of the way” of learning and serve as a moderator, not a “sage on the stage” or lecturer?

4. How do you plan to introduce and orient your students to LCT? Do you have specific concerns about student response and their acceptance of responsibility for learning?

APPENDIX: LCT ERM EXAMPLES FROM THE HOW This appendix provides several LCT examples along with the related TL alterna- tives for an ERM course that has been conducted at Auburn University Mont- gomery (Alabama) since 2010. All examples and page number references apply to Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomor- row’s Executives, co-edited by John Fraser and Betty J. Simkins (2010). Learning


notes (LN) include pedagogical suggestions and course experiences. The follow- ing LCT examples are generally small group discussions, but LCT often includes reading assignments or problems that may be done prior to the actual class meeting (Shibley and Wilson 2012). In each example, TL begins with the traditional teacher lecture on the topic (such as using PowerPoint slides to speak to the students and cover the material, etc.). LCT starts with the students.

While reviewing the examples, imagine the possible implications of Weimer’s (2002) “Five Key Changes to Practice” described in this chapter where the process has been flipped. Most importantly, notice how content is covered but not in a tra- ditional lecture context where the teacher presents the information. Rather, content is used as a means of learning. Additional examples of LCT for business communi- cation courses are contained in Smart, Witt, and Scott (2012). Wright (2011) offers an insightful pedagogical literature review of Weimer’s “Five Key Changes to Practice.”

Example #1. Chapter 2: A Brief History of Risk Management

TL: Risk management “spans the millennia of human history” (page 19). Cover the list of significant milestones in a series of PowerPoint slides and explain the contribution of each to the development of ERM.

LCT: Review the List of Contributions (pages 22–27) and suggest the three most significant milestones in the development of ERM. Comment on why your group chose these milestones. Was the group generally in agreement? If not, what were the other selected milestones?

LN: Groups generally differ on the top three milestones, usually based on dif- ferent themes: economic events, creation of professional organizations, contributions and development of risk management theory, or possibly legislative actions. The list of significant milestones small group exercise provides an early and substantial insight into LCT. Rather than memorize, recall, and explain, the students are asked to review, suggest, and comment—all higher levels of Bloom’s Cognitive Learning Taxonomy. It is most rewarding to see stu- dents argue about the top three, supporting their choices by associating or assessing the impact of milestones on the development of risk manage- ment. There may not even be a top three, and even if there is, the teacher has a postgroup selection opportunity to guide the discussion or note the differences in theme the groups selected.

Example #2. Chapter 3: ERM and Its Role in Strategic Planning and Strategy Execution

TL: Cover the List of 11 Tenets of the Return-Driven Framework (pages 37–38). LCT: Appraise the list of risk categories for the greatest risk (pages 41–42).

� Shareholder value risk � Financial reporting risk � Governance risk

28 Implementing Enterprise Risk Management

� Customer and market risk � Operations risk � Innovation risk � Brand risk � Partnering risk � Supply chain risk � Employee engagement risk � Research and development (R&D) risk � Communication risk

LN: The textbook presentation states that “the framework encourages think- ing about these risk categories” (page 41). With LCT, students should be encouraged to do so, and in the learning process incorporate the 11 tenets.

TL: A “genuine asset” is . . . (page 38). LCT: Create a list of “genuine assets” for a company of your choice. LN: A simple create exercise includes recognize, apprehend, and determine. The

teacher may facilitate clarifications and corrections by guiding subsequent classroom discussion in examining, critiquing, and exploring the different lists of “genuine assets.”

Example #3. Chapter 5: Becoming the Lamp Bearer—The Emerging Roles of the Chief Risk Officer

TL: The chief risk officer has four major roles: (1) compliance champion, (2) modeling expert, (3) strategic controller, and (4) strategic adviser. In the first role . . . (pages 75–81).

LCT: Reviewing Exhibit 5.1 (page 80), distinguish the roles of strategic controller and adviser. Postulate which role of the chief risk officer is the most important.

LN: Postulating requires memorization, comprehension, distinguishing, and appraisal.

Example #4. Chapter 8: Identifying and Communicating Key Risk Indicators

TL: Key risk indicators are an ERM tool that . . . (page 129). LCT: Distinguish key risk indicators from key performance indicators.

Suggest the key risk indicator practical applications that are most impor- tant to achieve the organizational strategy of the company you work for, a company chosen by your group, or the university.

LN: The facilitator role is often needed on this topic, as key risk indicators may be confused with or closely aligned with key performance indicators.

Example #5. Chapter 11: How to Prepare a Risk Profile

TL: The Risk Map is a graphic representation of a Risk Profile and in this case contains eight risks (page 173). The first risk is . . .


There are eight steps to create a Risk Profile (pages 177–186). Step 1: Schedule interviews and gather background information. Step 2: Prepare the interview tools. Step 3: Summarize the interview findings. Step 4: Summarize the risk ratings and trends. Step 5: Draft the Top 10 Risk Profile. Step 6: Review the Draft Risk Profile. Step 7: Communicate the Risk Profile with the board or a board

committee. Step 8: Track the results.

LCT: Appraise the benefit of a Risk Profile and Risk Map. Suggest which step is the most challenging in preparing a Risk Profile. Comment on why your group selected this step. Create a Top 10 Risk Profile for the company you work for, your university, or your school.

Example #6. Chapter 13: Quantitative Risk Assessment in ERM

TL: This chapter discusses risk assessment and risk quantification . . . (page 219).

LCT: Explore information related to the Schneider Truck Yard Tornado Damage in Dallas, Texas, on April 3, 2012. This results in a large number of videos and news stories. Assess where this event would be placed in a Risk Map. Comment on how the event may be viewed in a statistical analysis. Now speculate on your reaction if you have just received a phone call stating, “All of the trailers and tractors in your Dallas Hub have been destroyed.” See Exhibit 13.3 of Fraser and Simkins (2010, p. 224).

LN: The video of tractor trailers flying through the air is striking. This is a learning opportunity to consider the ERM of “tail events” and “known unknowns.”

Example #7. Chapter 14: Market Risk Management/Credit Risk Management

TL: Looking at the Taxonomy of Market Risk and Credit Risk (page 240): The first market risk is . . . . The next one is . . . . The third one is . . . . The first credit risk is . . . . The next one is . . . . The third one is . . . .

LCT: Distinguish between market risk and credit risk. Reviewing the different types of risk, assess which risk is most striking and noteworthy. Comment on why your group chose this risk.

Example #8. Chapter 16: Operational Risk Management

TL: This chapter illustrates the answers to fundamental questions, including (page 280): � What is operational risk? Why should you care about it? � Is risk all bad?

30 Implementing Enterprise Risk Management

� How do you assess operational risks, particularly in a dynamic business environment?

� Why do you need to define risk tolerance for aligned decision making? � What can you do to manage operational risk? � How do you encourage a culture of risk management at the operational

level? � How do you align operational risk management with enterprise risk

management? First, let’s answer the question of “What is operational risk?”

LCT: Using Exhibit 16.2, The Bow Tie Model (page 291), provide an analysis of a current news event. This is reprinted as Exhibit 2.2 in this chapter.

LN: The current news event may be any risk event, from explosions to traffic wrecks, bankruptcies to product recalls, flood damage to tornado damage, information leaks to software failures. The analysis answers the questions, and the content is used as a means to learning.

TL: “The 5 Whys is a question-asking method that can be used to explore the cause-and-effect relationships underlying a particular risk event or prob- lem” (page 294).

LCT: Continue your current news event analysis by exploring with at least five whys.

LN: There are always current risk events in the news, most of which can be searched for, often including videos. As an example, a recent class chose a wreck between a church bus and a truck on an expressway. At first, it appeared that the group’s risk event selection was a direct adoption of the textbook example—a fatal accident (page 294). However, the student-engaged whys expanded quickly, as follows: Why did the wreck occur? Bus crossed median of expressway after tire blew out. Why did the tire blow out? Poor bus maintenance, bad tire, debris on roadway. Why was there poor bus maintenance? Expenses limited by budget. Why was the driver not able to control the bus? Young, inexperienced volunteer. Why was the driver an inexperienced volunteer? Previous older, experi- enced driver quit driving given his age. Newer driver only needs to pass commercial driver’s license (CDL) exam and drives no more than twice per week, rarely on the expressway. Why did the bus cross the median? No safety barrier in place. Why was there no safety barrier in place? State had added several hundred miles of wire or concrete median barrier, but this section of expressway had lower priority based on wreck history. Why wasn’t topology and shallow median considered? Engineering expertise more expensive. Why were individuals seriously injured? Lack of personal restraints. Why were there no personal restraints? Not required, expensive option. Why are personal costs not given greater weight in budgeting?


Outcome Values Negative Outcomes Positive Outcomes

O u

tc o

m e

Li ke

lih o

o d

H ig

h P

ro ba

bi lit

y Lo

w P

ro ba

bi lit


Exhibit 2.2 The Bow Tie Model

Example #9. Chapter 17: Types of Risk

TL: “Distinguishing between beta and alpha risk can be difficult” (page 304). Beta risk is . . . . Alpha risk is . . . .

LCT: Reviewing Exhibit 17.1, Value Implications of Risk Appetite Change, distin- guish between beta and alpha risk. This is reprinted as Exhibit 2.3 in this chapter.

LN: Distinguishing requires recognizing, comprehending, and determining. Defini- tion recall does not. Difficult material may necessitate additional teacher facilitation and at the same time offer another student learning opportu- nity for discovery.

Example #10. Chapter 18: Managing Financial Risk

TL: Cover Exhibit 18.1, Examples of Contracts Traded on Major U.S. Futures Exchanges (page 322). Cover cases on currency risk, interest rate risk, and commodity price risk (page 323–325). Identify financial question of “Does Hedging Affect Firm Value?” (page 327).

LCT: Explore the available futures contracts on � Agriculture � Energy � Equity index � Foreign exchange (FX) � Interest rates � Metals � Options

32 Implementing Enterprise Risk Management

Capital requirement

Alpha (value creation)




Zeta (value loss)



Efficient frontier for business portfolio

A = Current position B = Value destruction—uncompensated risk C = Target position—no value change D = True value creation

Exhibit 2.3 Value Implications of Risk Appetite Changes

� Over-the-counter (OTC) market � Real estate � Weather Select a specific futures contract of interest to your group under Products & Trading, Products (for example, EUR/USD under FX). Review the quotes and the contract specifications for your selected futures contract. Suggest a scenario where your selected futures contract could be applied. Critique the financial issue of “Does Hedging Affect Firm Value?”

LN: Students are engaged by explore, review, suggest, and apply versus covering three examples they have already read. Note that the teacher may need to facilitate the estimation of the selected futures contract’s payoff, which may be any of those available, not just the three prepared text examples. Every class to date has had at least one group select a weather futures contract. Content is used in the learning process.

Example #11. Chapter 19: Bank Capital Regulation and Enterprise Risk Management

TL: Economic capital is . . . Cover Exhibit 19.4 (page 344). This is reprinted as Exhibit 2.4 in this chapter.

LCT: Distinguish minimum capital requirements from economic capital. Assess the impact of a “black swan” event on the expected loss and confi- dence level. Appraise the effect of Asset Price Liquidity under a Panic, Exhibit 17.6 (page 312), on the expected loss. Offer an economic outcome scenario that includes the black swan event and panic.

LN: This obviously refers to the subprime crisis (pages 89–90, 346, 351, 360– 361), economic crisis (page 32), and Troubled Asset Relief Program (TARP)


Expected Loss

Fr eq

ue nc

y of

L os


Confidence Level

Economic Capital

Amount of Loss (increasing to the right)

Exhibit 2.4 Economic Capital Source: Robert L. Burns, “Economic Capital and the Assessment of Capital Adequacy,” Supervisory Insights, Federal Deposit Insurance Corporation, Winter 2004.

(pages 11 and 303), along with related topics discussed elsewhere. The intent is to not repeat (cover) the knowledge, but rather to build on (use) the knowledge the students are likely to have already seen, if not experienced.

Example #12. Chapter 20: Legal Risk Post-SOX and the Subprime Fiasco

TL: Whistle-blower protection is . . . (pages 357–358, 363). LCT: Assume you find yourself in a position to be a whistle-blower.

Speculate as to the trade-offs involved if you’re the whistle-blower. LN: Google “whistle-blowers SOX.” In other areas of ERM, students, especially

working MBAs, may be able to provide examples of loss experiences, miti- gation efforts, and risk management. To avoid overly personal discussion, whistle-blowing may be better approached by referring to publicly avail- able information and examples. Discussion of successful and unsuccessful whistle-blowing protection under SOX is very enlightening and productive, while avoiding overly per- sonal disclosure.

Example #13. Chapter 23: Academic Research on Enterprise Risk Management

TL: The first article is . . . ; it found . . . (pages 422–438). LCT: Critique the article(s) your group was assigned.

Appraise the article(s) and survey findings. Theorize about one or more of the findings.

34 Implementing Enterprise Risk Management

LN: Reading the findings of the academic research is a recall, memorization, and possible comprehension learning activity. Creating a hypothesis or theory as to why growing firms, for example, are more likely to appoint a CRO (page 427) leads to an inductive learning discussion.

Example #14. Chapter 10: How to Plan and Run a Risk Management Workshop; Chapter 22: Who Reads What Most Often?

TL: Cover respective chapters without any link. LCT: Review the findings on the use of consultants in Chapter 22 (page 394).

Imagine your group is an ERM consulting firm. Suggest techniques, approaches, and tools that could be used to respond to the survey results in Chapter 22.

LN: This is an example of one of many instances where topic coverage can be linked to further group discussion.

REFERENCES Anderson, Lorin W., and David R. Krathwohl, eds. 2001. A Taxonomy for Learning, Teach-

ing, and Assessing—A Revision of Bloom’s Taxonomy of Educational Objectives. New York: Longman Press.

Bean, John C. 2011. Engaging Ideas: The Professor’s Guide to Integrating Writing, Critical Think- ing and Active Learning in the Classroom. 2nd ed. San Francisco: Jossey-Bass, A Wiley Imprint.

Bloom, Benjamin S. 1956. Taxonomy of Educational Objectives: The Classification of Educational Goals. New York: David McKay.

Blumberg, Phyllis. 2009. Developing Learner-Centered Teaching: A Practical Guide for Faculty. San Francisco: Jossey-Bass, A Wiley Imprint.

Blumberg, Phyllis, and Laura Pontiggia. 2011. “Benchmarking the Degree of Implementa- tion of Learner-Centered Teaching Approaches.” Innovative Higher Education 36 (Novem- ber), 189–202.

Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives. Robert W. Kolb Series in Finance. Hoboken, NJ: John Wiley & Sons.

Millard, Elizabeth. 2012. “5 Reasons FLIPPED Classrooms Work.” University Business 15:11 (December), 26–29.

Shibley, Ivan A., Jr., and Timothy D. Wilson. 2012. “The Flipped Classroom: Rethinking the Way You Teach.” Magna Online Seminars, Magna Publications, August 23.

Smart, Karl L., ChristineWitt, and James P. Scott. 2012. “Toward Learner-Centered Teaching: An Inductive Approach.” Business Communication Quarterly 75:4, 392–403.

Steinberg, Esther R. 1991. Computer-Assisted Instruction: A Synthesis of Theory, Practice and Technology. Hillsdale, NJ: Lawrence Erlbaum Associates.

Weimer, Maryellen. 2002. Learner Centered Teaching. San Francisco: Jossey-Bass, A Wiley Imprint.

Wohlfarth, DeDe, with Graduate Students Daniel Sheras, Jessica L. Bennett, Bethany Simon, Jody H. Pimental, and Laura E. Gabel. 2008. “Student Perceptions of Learner-Centered Teaching.” Insight: A Journal of Scholarly Teaching 3, 67–74.


Wright, Gloria Brown. 2011. “Student-Centered Learning in Higher Education.” International Journal of Teaching and Learning in Higher Education 23:3, 92–97,

Yang, Xiaomei. 2010. “The Globalization and Localization of ‘Learner-Centered’ Strategy for an International Horizon.” Asian Social Science 6:9, 78–81.

ABOUT THE CONTRIBUTORS David R. Lange, DBA (University of Kentucky), is an Auburn University Mont- gomery (AUM) Distinguished Research and Teaching Professor of Finance. He has received many prestigious awards for both research and teaching from the Univer- sity and from several academic associations. In 2012, he received the Academy of Economics and Finance (AEF) Fellow Award in recognition of extraordinary con- tributions and achievements to the AEF’s mission of advancing teaching, research, and service. David was the Lowder-Weil Professor and Chair of the Applied Life Insurance Education and Research Program, and a frequent presenter in the AEF Teacher Training Program. He has taught classes in commercial risk management and insurance, enterprise risk management, financial valuation, and investments and portfolio management. He has also consulted in a significant number of indi- vidual and class insurance-related cases in both state and federal court. Profes- sionally, David has served as the Eastern Finance Association executive director and VP-finance, as well as program chair and president for both the Academy of Financial Services and the Academy of Economics and Finance.

Betty J. Simkins, PhD, is Williams Companies Chair of Business and Professor of Finance at Oklahoma State University. Betty received her PhD from Case Western Reserve University. She has had more than 50 publications in academic finance journals. She has won awards for her teaching, research, and outreach, including the top awards at Oklahoma State University: the Regents Distinguished Research Award and the Outreach Excellence Award. Her primary areas of research are risk management, energy finance, and corporate governance. She serves on the edito- rial boards of nine academic journals, including the Journal of Banking and Finance; is past co-editor of the Journal of Applied Finance; and is past president of the Eastern Finance Association. She also serves on the Executive Advisory Committee of the Conference Board of Canada’s Strategic Risk Council. In addition to this book, she has published two others: Energy Finance and Economics: Analysis and Valuation, Risk Management and the Future of Energy and Enterprise Risk Management: Today’s Lead- ing Research and Best Practices for Tomorrow’s Executives. Prior to entering academia, she worked in the corporate world for ConocoPhillips and Williams Companies. She conducts executive education courses for companies globally.


ERM Implementation at Leading Organizations


ERM at Mars, Incorporated ERM for Strategy and Operations

LARRY WARNER President, Warner Risk Group

This case study outlines the development of Mars, Incorporated’s EnterpriseRisk Management (ERM) program, from its initial phases in early 2003through the spring of 2012. The views expressed in this case study are those of the author, and may not be those of Mars, Incorporated (Mars). Additionally, as with any ERM program, Mars’ program has continued to evolve since 2012.

Throughout this case study, I have used first names for a number of key indi- viduals who contributed to the success of program. (Please note all names have been changed.) In speaking with other ERM practitioners, such early adopters of an ERM program typically help contribute to an ERM program’s development, evolution, and success. In this case study they helped spread and embed the pro- cess in their business units and in other units as they took on new roles. Most of the major improvements in the evolution of this program resulted from working with these individuals to address the needs of their business units. By identifying these players’ involvement in the early stages of the program and their subsequent roles, the case study reader should gain an understanding of the importance of and the need to cultivate relationships with these early adopters.

MARS’ ERM HISTORY In essence, Mars’ ERM program began with the company’s inception by Forrest Mars.1 Historically, the leadership at Mars had a serious commitment to risk man- agement. ERM represented one natural evolution from these practices.

In conjunction with the transition to nonfamily management in the early 2000s, the corporation established challenging growth, earnings, and cost targets. In order to achieve these objectives, the company undertook a number of key initiatives to ensure the achievement of these objectives. ERM became one of these.

In 2002, Roger, the CFO at the time, and I sat down and discussed how an ERM program might help better manage the business. We recognized that we lacked the experience to implement such a program on our own, and asked two of our existing service providers with ERM practices to make proposals as to how they might


40 Implementing Enterprise Risk Management

assist us in this project. As Roger put it, “We need someone to transfer knowledge to Larry.”

One vendor pushed for a Committee of Sponsoring Organizations (COSO) structure. The other suggested we develop a program that leveraged Mars’ unique strengths. As a large, privately held, decentralized company, we agreed that the latter better met our needs.

At this point, we decided that we wanted to develop ERM and not what one might call an “enterprise compliance management” (ECM) program. This repre- sented a critical decision in Mars’ ERM development.

To kick things off, we took a risk management survey of the 15 or so managers on Mars’ global management team. We spent a couple of hours personally com- pleting the survey with David, who was to become the president of Mars at the beginning of 2003. This was a critical move in the development of the program, as we gained an understanding of his views on risk management and how we might develop the ERM program.

Following the survey, we recognized the need to gain an even broader under- standing of how the associates (Mars does not have employees) in the business viewed risk. We decided to conduct risk assessment workshops for a function (Service & Finance), geography (Canada), and product group (European Sugar). Working with our consultants, we selected a gap analysis methodology. In gap analysis, you evaluate the inherent risk (impact and likelihood) with limited con- trols (e.g., buying commodities at spot cost as opposed to with futures contracts) against management effectiveness.

We had the first workshop with the global finance team during our corporate meetings in the summer of 2003. The ERM team had a major win during this ses- sion. At the time, Mars was undertaking a substantial investment. During the ses- sion, the consensus of the group was that we, Mars, had undertaken a too aggres- sive time frame to be successful. By the next day, the corporation announced a change in the rollout of the project.

During the session, the CFOs of Europe and the United States both commented on how beneficial this workshop had been. This was critical for two reasons. First, it generated buy-in from additional senior management. Second, the CFO of Europe, Oscar, would soon be named the new CFO of Mars upon Roger’s retirement.

We began calling discoveries like the one in the global finance team’s work- shop the “known unknowns,” because many of the participants knew and/or were concerned about the issue before the meeting; however, it had never risen to such a level that it was formally brought forward to the group. We developed a sce- nario that explained such discoveries and how they could help the business. For example, two management team members have dinner after work. They discuss an issue that concerns them; however, for some reason this issue does not arise during team meetings, perhaps because they do not believe they have adequate expertise to challenge the group’s thinking, or one team member was so passion- ate about the issue that everyone else deferred. Over the years, we found that these “known unknowns” frequently held the key to a business’s success. In training workshop facilitators, we held identifying known unknowns as a major key to suc- cessful workshops.

In Canada, the general manager asked us to help his team evaluate their newly finalized strategy and provide an additional day of action planning based on our


findings. While the workshop did not turn up any major known unknowns, the participants felt the process enabled them to evaluate properly the risks with their strategy and make enhancements that would increase the likelihood of success.

Our final assessment with European Sugar had a major win, as it delayed a major product launch. The workshop identified key doubts in the potential success of the new product and its distinct format. The product team was tasked to return to the next management team meeting to address the issues identified in the risk assessment.

The participants in all three workshops deemed them successful and provided senior management with positive feedback. The ERM team also had major learn- ings. First, the workshops revealed a common risk aversion among most associates. To enable the company to grow faster, senior management knew that units had to take on more risk. Based on the initial success of our risk assessments, senior man- agement felt that ERM would be one tool to enhance growth.

The second major discovery revolved around the workshops themselves. To determine management effectiveness, we had asked participants to base their anonymous votes on limited controls (e.g., buying commodities at spot as opposed to with futures contracts). Universally, we received push-back, as the company had a control mind-set as one of its basic tenets. As such, the importance of control had become ingrained within all associates over many years.

Failure and Retrenchment

Based on the success of our three pilot workshops, we received the go-ahead to develop a full-scale ERM process. In early 2004, we put together a multifunctional, global team, supported by our consultant, to develop an ERM program. Over the next five months, we held monthly meetings to rough out a program. Three of the regional presidents acted as our advisers.

In June we presented our program, including a unit to pilot its implementa- tion, to the Mars management team. At the end of the presentation, David, Mars’ president, looked at us and stated that this looked like a major software transition, and we had done that once and were not going through that again. The rest of the management team agreed. David looked at me and said, “Larry, I know you can scare people when it comes to risk. I want you to take your team and develop a process that will generate a risk discussion mentality for the units. I want you to work with several of our larger units—China, Russia, Australia, and Europe.” He asked us to begin in China in three weeks and build the process around our annual operating planning process.

I believe it is important to note here that ERM is an evolutionary process. I believe that having our first approach rejected ultimately led to our successful development of a more practical, less complex approach. Looking back, I doubt that our initial approach would have worked at Mars due to its complexity.

PHASE 2—SUCCESS There were three components of the proposal that were well received, which we kept with minor revisions and additions. First, our basic tenets for

42 Implementing Enterprise Risk Management

development still existed, but we now had better clarity. Senior management clearly sought:

� A methodology to determine what is actually achievable by business units in the context of corporate performance objectives

� To improve alignment and accountability around the pursuit and execution of each business unit’s goals and objectives

� To foster a risk discussion mentality among business unit management teams

� A mechanism that enables managers to knowledgably and comfortably take risks in order to achieve growth goals that exceed overall market growth

� A tool to objectively track performance

Our original mission statement remained: “The objective of ERM is to provide the company with a proven, sustainable framework to proactively understand and deal with complex business risks, both tangible and intangible, existing and emerg- ing, across the entire organization.” This statement became the guideline against which we evaluated the development and evolution of the program.

Senior management also agreed with the major principles for the design of an ERM process:

� Create value. � Leverage the company’s unique strengths. � Work with existing organizational structure. � View risk as opportunity. � Encourage alignment and accountability.

While these represented great tenets to develop a program, we basically were where we had begun six months before, working with a clean slate.

While “create value” seems obvious, we did not know where this would take us as we began building a new program following our unsuccessful initial attempt. However, we had better clarity regarding senior management’s view of what was needed. Understanding and meeting the needs of senior management provided the keystone for the development of our program.

From the company’s perspective, “unique strengths” meant privately held and decentralized. Senior management similarly made working within an exist- ing organizational structure equally straightforward. They wanted the ERM team to build the ERM process into the annual operating plan without adding any staff. We were to use regional Service & Finance Staff Officers to assist us.

Based on our findings of risk aversion in our initial workshops, we knew that viewing risk as an opportunity meant a cultural shift. Finally, we understood that encouraging alignment and accountability meant a process that enabled unit man- agement teams to align and agree to the objectives they could legitimately achieve within the constraints of the risks identified in the ERM process. We found that these two things went hand in hand. By developing alignment around the risks to a unit’s operating plan and the optimal risk treatments, the ERM process would enable business units (BUs) to take on more risk to enhance their opportunities and capabilities for growth.


On the Monday three weeks after our presentation to the management team, our consultant, his two assistants, and I were blankly looking at each other across a table in a meeting room in the China office outside of Beijing. We had no idea what we should do. We decided interviewing everyone on the China management team might generate some ideas.

Based on the unit’s 2005 operating plan and these interviews, we developed a template that we thought captured their input. Each sheet reflected an initiative of the operating plan (e.g., grow Brand X 5 percent in 2005 and deliver operating plan profit). The template looked quite simple. It had a header for the objective with a block for a score next to it and two columns underneath—risks on the left and risk treatments on the right. (We initially used the term mitigation; however, at an ERM conference, one of the audience members pointed out that mitigation did not coincide with our stated objectives. Instead risk treatment better reflected “viewing risk as an opportunity.”) We spent several days filling the templates with the risk and risk treatments, which the business unit managers had identified with their 10 key initiatives for 2005.

We provided the templates and additional background in a preread package to allow the participants to prepare in advance of the workshop.

We started the workshop by having the management team force rank the initia- tives from 1 to 10 (or the total number of initiatives which they had). We compiled the results and projected them onto the screen, discussing the differences and/or alignment among the votes. We then asked them to agree or change the prioriti- zation, thereby beginning the alignment process. (This became the initial item in all future workshops.) Understanding the differences in rankings led the partici- pants to understand others’ views of importance, and in some cases gain a better understanding of the actual operating plan objectives.

We took the initiative voted as the top priority and began the workshop. We reviewed the definition of the initiative, and the management team edited and aligned behind the final definition. We then validated and added risks and then risk treatments. When we, the facilitators, sensed we had captured the major risks and risk treatments, we moved to an anonymous vote on the probability of success- fully achieving the objectives, using a scale of 1 to 9, with 1 representing 10 percent or less, 2 representing 20 percent, and 9 representing 90 percent or more. Voters would take into consideration the things they could control, their unit’s capabili- ties and resources, potential competitor activities, and so on.

When the votes appeared on the screen, we found them generally spread across a range of 4 to 5 on the scale (e.g., 3, 4, 5, 6, and 7). As facilitators, we led a discussion as to why someone might vote a 3 and others a 7. We found that hav- ing the lower-voting participants lay out their reasoning led to better discussions. The higher-voting team members would attempt to address the concerns raised by the lower-voting participants. Over time the facilitators could sense alignment in the room and have the participants take a second anonymous vote. The sec- ond vote’s results generally aligned around two numbers or were centered on one number with one or two outliers above and below the center vote.

The first workshop went exceedingly well. We then headed to Australia for our second workshop. This was a critical test for two reasons. First, one of the Mars regional presidents, who advised us throughout the initial ERM development process, participated. Second, our senior consultant had to go back to the United

44 Implementing Enterprise Risk Management

States, so his two assistants were to help me build and facilitate the workshop— one as a co-facilitator and the other as the editor of the workshop templates and operator of the voting technology and workshop. Here again we had a successful workshop.

Our next workshop took place in Russia. We had several major learnings from this workshop. First, when you have a very strong and charismatic general man- ager (GM), it is important for the facilitators to ensure that the entire management team participates. To this end, we pulled the GM aside and requested that he with- hold his comments to the end. We would go to him to wrap things up. It became a common practice for facilitators to ask GMs to “work with us” to ensure that all team members participated, and to allow the GMs to wrap up with comments before the final vote. It was a way for facilitators to better control the process and to make sure the known unknowns became visible.

At one point the GM stopped the session and stated, “This process helps you focus on what’s important.” This became a mantra of our ERM process.

As Russia had gone through several currency issues in the 10 years the unit had been in operation, the GM and CFO asked for us to build a template of how it could effectively handle a currency crisis. We did as requested, and the management team felt they identified the actions they needed to take in the event of such an occurrence.

This activity may seem minor, but it highlights two key points that ultimately contributed to the ERM program’s success. First, business units have unique needs and frequently need help in maximizing the use of ERM. By ensuring that the pro- gram had some flexibility, units were more likely to leverage its benefits. Second, we learned to constantly try new things. Many of our evolutionary improvements to the process resulted from requests or suggestions from individual units.

Our final workshop in the 2004 pilot took place with a subgroup of the Euro- pean management team. Known to only a few key members of this team and a few senior managers at the corporate level, Mars had begun the initial phases of a major project. The Regional Staff Officer of Service & Finance (S&F) lobbied the Regional President of Europe to have our new ERM process validate their work. Here again we tried a new activity with them in the workshop. This enabled them to identify the low, high, and most likely outcome of their key objectives, based on an analysis of the risk involved. While this activity was helpful, they advised us that the template that we had used in the other workshops proved the most beneficial to them.

Based on the success of this workshop, the Regional President of Europe asked us to perform three workshops, one in each of the countries that would be partici- pating in the project.

During the interview process in one of the countries, it became clear to us that they had not progressed to the point needed to launch their project. We advised the European management team of this. The general managers of the two units in this country were not only greatly appreciative but also became two of the biggest advocates of ERM in each role they subsequently held within the business.

The participants in all three countries found this process better enabled them to prepare for implementation. They identified critical risks and solutions that enabled them to successfully achieve their objectives.

Ben, the new Regional S&F Staff Officer from Europe, cofacilitated each of these workshops with me. (Through this work, Ben became a major supporter of


ERM as he progressed to become the CFO of the company’s largest segment.) As the program developed, several of our earliest participants in the program (facili- tators and management team members) became our biggest advocates. This acted to increase the “pull” of the program through the business as opposed to corporate needing to “push” it through.

GLOBAL ROLLOUT Based on the feedback from the workshops and the support of the two regional presidents, the next phase was to move forward with a global rollout of the ERM program.

For 2005, we targeted 17 units for workshops to assess the risks of their 2006 Operating Plans. China, Australia, Russia, and virtually every general manager from the seven units in the European project asked to be included in the rollout.

Here again our design principles were reaffirmed. Management believed the process created value, helped units become less risk averse (view risk as an oppor- tunity), and encouraged alignment and accountability among the participants. Our remit to work within the annual operating plan reaffirmed “work within an exist- ing organizational structure.”

Many companies would find their planning process similar to Mars. Busi- ness units begin developing their annual plans nine to 12 months before Jan- uary 1, based on their long-term strategies within the context of the broader seg- ment and corporate strategies. They receive input from their segment management teams. Mars has six segments: Chocolate, Drinks, Food, Petcare, Symbioscience, and Wrigley. Late in the year they present their plan to management. ERM repre- sents one component of their presentations.

For the rollout, the ERM team developed formalized interview templates. Although we always interviewed the GM first, the team began to have joint inter- views with the GM and S&F head (CFO), who acts as the GM’s copilot. We found that these joint interviews provided much more detail and reduced the number of other business unit (BU) team members we had to interview. The workshops were time consuming to build, each taking approximately one person-week, or more for larger, more complex units. Any time savings proved beneficial, as the team had very limited resources. It also represented an evolutionary step in our process.

The ERM team entered the process with only three facilitators skilled in our new process—our consultants (Bill and Greg) and me. As we wanted to internalize the process, we had to train an adequate number of internal facilitators. Optimally, two facilitators would run a workshop with one operator, the person responsible for operating the voting technology, updating the templates as we spoke, and keep- ing notes.

These ERM workshops require atypical facilitation skills. A facilitator needs a great deal of knowledge of the business, good facilitation skills, and the ability to challenge participants. We found over time that some people, recognized as good facilitators for most activities, proved ineffective in ERM workshops as they lacked the ability to aggressively challenge the management teams from an operational or strategic perspective.

Oscar instructed both regional and functional S&F staff officers, who reported to him, to support us. (Regional S&F staff officers support the Mars CFO in the region, while functional staff officers oversee specific functions—e.g., Treasury,

46 Implementing Enterprise Risk Management

Risk, Control, Strategy, etc.) Oscar directed the regional S&F staff to help us sched- ule the sessions and to act as our cofacilitators in their regions. Several nonregional S&F staff officers and George, who worked for me, were also to be trained and act as facilitators. All of these associates had the requisite skill set to be effective in the ERM workshops. The use of S&F staff officers to assist us reaffirmed both “work within an existing organizational structure” and “leverage unique strengths.”

We kicked off the rollout the first two weeks of August, conducting workshops at our three U.S. units—Food, Snackfood, and Petcare. All three were successful and we identified serious risks or (better said) opportunities for each plan. We trained George and Elizabeth (the Staff Officer of Strategy) during the Food and Snackfood workshops.

The votes at U.S. Petcare revealed a lack of alignment around the probability of success of several key initiatives to their plan. The GM complained that the team had just spent two weeks, including an off-site planning session, making major additions and revisions to the plan, but no one had raised the issue, which arose during the workshop; however, we pointed out that the intent of the ERM process was to identify these issues prior to the implementation of the operating plan. This would enable units to address these issues in time to increase the likelihood of success.

The following week, Elizabeth ran the Mexican workshop, training the regional staff officer and Jim, her direct report. In the meantime, I went to Asia for the China, Japan, and three Australian workshops. In Asia, the point of early supporters played a key role in our success. Mars China had found great value in our initial workshop and began to use the program as a key component of its operational and strategic planning process.

The new general manager in Japan had participated in the pilot workshop in Canada and in the UK project workshop as one of the GMs. He was keen to use ERM as a tool to help his team reinforce their growth and market position.

In Australia, we began the following week with our Snackfood unit. It was the first day on the job for the general manager, who was new to Mars. He felt the workshop proved quite beneficial as not only did he become familiar with his direct reports, but he gained an understanding of the issues confronting the busi- ness, which he felt would have otherwise taken months to learn.

In Australia, we had a major learning: We needed a process to ensure follow- up on issues identified during the workshops. John, the CFO for Australia with operational responsibility for the petcare unit, noted that in his preparation for the workshop he reviewed the output from the prior year. The team had actually identified their major risk for 2005 and the treatments to address this issue. Unfor- tunately, they had not used the prior year’s solutions, and had not met their targets for the issue. John became one of the biggest advocates and supporters of ERM as he moved on to CFO of the Russia unit and then U.S. Chocolate.

REPORTING Ultimately we conducted 18 unit workshops, one for our quant group, and a cor- porate one. At the end of the process we reviewed all of the output. We recog- nized the need for categorizing the differences between the votes to report risk using a color key for risk profiles (see Exhibit 3.1). In reviewing the voting scores,



7.5 and greater

7.0 to 7.4

6.0 to 6.9

In cr

ea se

d pr

ob ab

ili ty

o f

ac hi

ev em

en t a

nd /

or in

cr ea

se d

le ve


of m

an ag

em en


ef fe

ct iv

en es


5.0 to 5.9

5.0 and less







Exhibit 3.1 Color Key for the Risk Profile Score

it appeared that five groupings existed. We had some actuaries review the data as well, and they came up with the same results.

Companies frequently like to use three colors in their corporate dashboards; however, most experts seem to agree that risk is not so cut-and-dried, and recom- mend four or five risk categorizations. As a workshop facilitator, one can gener- ally detect why a score was blue and not green. In discussions challenging such a vote, facilitators frequently heard general managers or other participants speak very clearly as to why an initiative is blue and not green.

Following the addition of risk categories, the ERM team developed a summary report, in priority order, consisting of each initiative, its definition, and each initia- tive’s risk profile (see Exhibit 3.2). These were compiled by region and submitted to the Mars management team and the regional management teams, along with the complete workshop reports.

Although senior managers reviewed these reports, it was too early in the pro- cess for them to understand fully the potential of ERM. This was highlighted in Jan- uary 2007 during my annual review with Oscar. David, Mars’ president, entered the “fishbowl” room quite perturbed at one of the largest units. The unit had advised of a significant surprise at year-end, which had an impact on the over- all business’s year-end results. David looked at me and asked whether this issue had arisen during my new process. I advised him that the unit had raised this as a potential issue, which could adversely impact them entering the new year. They

48 Implementing Enterprise Risk Management


Exhibit 3.2 Summary Report

asked me to get them a copy of the complete report, and I took this to mean they had read but not kept the original.

The unit’s ERM workshop output had the issue as a “red” in their submission. While both David and Oscar agreed that they expected some units to have initia- tives with a red risk profile, they would not accept a unit to have a red issue and not address it or communicate the potential impact as appropriate. This became a basic tenet of the ERM process. This incident also proved a major win for ERM, as David became extremely interested in the quarterly updates, which began shortly thereafter.

To ensure that units used ERM throughout the year and communicated their views on risk to senior management, we developed an ERM dashboard template. This included the initiatives in priority order, the risk profile of each initiative for each quarter (beginning with the workshop in Q3), the risk profile trend—stable, improving, or declining—and a comment column for providing a view for year- end (see Exhibit 3.3). This became an excellent tool for communicating for several reasons. First, units that did not do so already had to review their risks and risk treatments quarterly. This helped them to have a risk mentality mind-set, which David had given us as a goal at the beginning. Second, senior managers could quickly identify units that were struggling with issues. For the first couple of years of the program, David would meet with the corporate controller, to review the




Exhibit 3.3 Quarterly Update

quarterly reports. Finally, it provided units with a tool to communicate to man- agement that things were on track, although the first or second quarter sales may not have appeared that way.

An excellent example of the latter point occurred the first year we used the reporting template. In a large market where the company had a strong number three position, the unit’s reported sales appeared to fall below its plan at the end of the first, second, and third quarters of 2006.

I had facilitated the unit’s workshop. As their two main competitors, which had a significant share of the market, planned to front-end load their activities (e.g., advertising, consumer promotions, trade discounts, etc.) into the first and second quarter, the unit decided to focus the vast majority of its activities into the second half, especially the fourth quarter. Each quarter the unit reported its key brands as having green risk profiles. Each quarter, Oscar had me contact and challenge the unit CFO on this point. Each quarter the unit CFO responded that the unit had back-end loaded its activity set into Q3 and Q4, and I confirmed to Oscar that this had been the case in the workshop as well. In the end, the unit delivered about 105 percent of its planned sales, and the ERM Quarterly Report gained a great deal of credibility.

One thing that we noted from both the pilot year and the launch year was that participants did not always seem to vote on the same thing on an initiative. For example, an objective may read, “Maintain market leadership while achieving growth and profitability targets.” A unit might have 35 percent market share, and it could hold market leadership at 25 percent. One participant may vote low because she believes market share will fall to 32 percent while another participant votes high because this will still represent market leadership. Similarly, divergent votes

50 Implementing Enterprise Risk Management
















Exhibit 3.4 Targets

on achieving growth and profitability may result as different participants vote on gross sales versus net sales, and earnings versus margins.

To resolve this problem, we changed the process for the 2007 Operating Plan workshops, conducted in Q3 of 2006, and all future workshops. We required units to specify measurable targets within each objective (see Exhibit 3.4).

Units could do this for all initiatives, including intangible ones. For instance, associate engagement targets would include specific numerical scores for the units and follow-up percentage targets for management. Similarly, “Have the right peo- ple for the right jobs” would become “Have one person for each critical job in the unit’s succession plan.” These objectives would have measurable targets by which the unit could report progress throughout the course of the year.

2007 OPERATING PLAN WORKSHOPS In 2006, we made two major changes. We added a strategic component to the work- shop. We also pushed most of the workshop development to the units.

In terms of a strategic component, we added a column to the existing workshop template that held the activities the unit needed to undertake to successfully imple- ment its long-term strategic objectives. The strategic component proved unsuc- cessful for three major reasons. First, we found that units without a completed


long-term strategy did not find this worthwhile. Second, the shift from the operat- ing plan in the morning to the strategic plan in the afternoon proved too mentally taxing. Workshop participants tend to be less effective late in the afternoon due to the mental focus required in the workshop, and the transition to the longer- term view in the afternoon seemed to make this afternoon lapse worse. Finally, we found the extra column in the strategic template unnecessary. Units preferred to use the standard workshop template for both operational and strategic issues. For all future strategic workshops, we used only the standard template.

For the 2006 Operating Plan workshops, we found it very time consuming for facilitators to build each individual workshop. To build each workshop, the two facilitators interviewed the general manager, the unit CFO, and several other unit management team members. They would then take the unit’s key operating plan objectives and compile the templates by adding the risks and risk treatments based on their interpretation of the interviews. Between the interviews and the workshop compilation, it could take as much as a person-week to build a workshop. As facil- itators typically had very senior positions, this did not represent an effective use of their time. This time-consuming process would greatly limit the number of work- shops that we could have, unless we could find a better solution.

At this time, the company was moving to increasingly standardized planning tools. The units could use these tools to develop their own workshops, with mini- mal guidance and support of the workshop facilitators. This aligned well with our objective to simplify the workshop development process and aided us in push- ing much of the workshop development to the unit. We developed a PowerPoint presentation that outlined the process, as summarized in Exhibit 3.5.

This new approach greatly reduced the time to build a workshop. By having initiative owners confirm the definition of the objectives, adding what they viewed as the major four or five risks and risk treatments, we not only reduced the time necessary to build a workshop, but we also improved the quality of the workshops. The latter was achieved because the facilitators no longer had to interpret what they had heard in the workshop. Instead, the actual owners populated this data, which the management team validated in the workshop. This had the additional benefit of increasing the ownership of the process within the unit.

TECHNOLOGY When the ERM program began in 2003, the ERM team consciously did not select a technology solution. The company did not want a technology solution to drive the process. By 2007, the program had developed to the point that we needed tech- nological support. First, we moved from using Word to Excel. This enabled us to develop a comprehensive Excel tool for workshop development and data capture. Second, we selected a software vendor whose product could most closely adapt to our process.

The Excel tool greatly streamlined the process for building workshops. It made it easier to define initiatives and for users to build individual templates in prepa- ration for workshops. More importantly, it enabled workshop operators to revise and add information to the templates more easily during workshops. This enabled workshop participants and operators to focus better on the process.

52 Implementing Enterprise Risk Management

Exhibit 3.5 Sample Planning Process

# Activity Timing

1 The unit CFO provides the facilitators with the key operating planning documents, standard planning documents, and so on.

2 The facilitators hold a teleconference with the unit’s GM and CFO to identify relevant operating plan initiatives and strategic risks from last year’s assessment and add new operating plan initiatives and strategic risks.

1.25 to 1.5 hours

3 The facilitators prepopulate the workshop template with initiative definitions, based on the interview, the planning documents provided, and output from the prior year.

1.5 hours

4 Facilitators send the prepopulated workshop template to the unit CFO.

5 The unit CFO forwards each template to the unit’s Management Team and to the individual initiative owner.

6 Initiative owners confirm the initiative definition, including key metrics, adds four to five risks, and adds four to five risk treatments.

0.5 to 1 hour per initiative

7 The unit CFO consolidates the templates and forwards them to the facilitators and the unit GM.

1 hour

8 One facilitator has a review with the unit GM and/or CFO of the workshop template to validate the input and identify any key points.

30 minutes

9 The unit CFO distributes the final workshop template to the unit’s Management Team as a preread package.

10 Workshop. 8 hours

The software resulted in two major improvements in the process. First, it enabled units to update their risk profiles into a system. It also provided more flexibility than previously available using Word.

Data capture and reporting represented the other major improvements pro- vided by the software. Using the Excel tool following each workshop, we cat- egorized each initiative and risk by function (e.g., Service and Finance, Sales, Marketing, etc.). Similarly, we categorized these using the risk definitions, which the initial working group had developed.

AGGREGATION The company historically had very well-defined ranges of risk that it would take on in the areas of currencies, commodities, insurance, and so on. It had compre- hensive reporting that aggregated such financial risks. Although these areas were well managed at the regional, segment, or corporate level, their role frequently influenced decisions at the business unit level.

While companies can easily aggregate these types of financial risks, the ERM process presented other types of information. The output of the ERM workshops


produced both qualitative and quantitative data, as well as tangible and intangible risks. These included operational, supply chain, and human resources risks.

To aggregate these risks and identify emerging risks for regional, segment, and corporate management teams, the ERM team had two methodologies—human review and technology. In the early years, the ERM team would review all of the workshop output and summarize the three or four key themes for the corporate management team. In some cases, they would delegate the review of this informa- tion to the individual(s) responsible for the issue. In two cases, the ERM team led a short workshop with the corporate management team on one or two of the critical issues identified.

In many of the early workshops, the ERM team was surprised to find so many human resources issues across the world. Frequently, these rose to be near the top of the list in priority for many units. Bringing these out in workshops enabled the units to view these from the perspective of risk to the business. On a corporate, aggregated basis, this gave leadership a different perspective (i.e., risk) from which to view the issue, and over time how their initiatives worked to improve the risk at the corporate and unit levels.

Once the company moved to segments from regions, the ERM team aggregated the output from the individual units in the segment and conducted workshops with the segment management teams, to help them identify the key issues con- fronting their business in the coming year. These included themes and emerging risks identified across the entire business, but focused on their impact on the indi- vidual segment. This was done in conjunction with their overall planning activities, bringing risk into their evaluation process. Some segments found this quite useful in helping them to allocate resources and identify action plans to improve the like- lihood of the segment’s success in the upcoming year. Segments that found this helpful held these workshops annually.

In aggregating the risks in the workshops, we considered such issues as these:

� The number of business units impacted � The number of associates impacted � The number of business processes or functions impacted � The impact on our consumers and customers � The potential impact to our brands

This methodology worked very well with difficult-to-quantify risks. It also helped to identify emerging risks. The overall process identified issues that might be a nuisance in individual markets but when viewed on an aggregated basis had a potential impact on the segment or corporation as a whole.

The software solution provided another opportunity for aggregation. As workshop teams had categorized the initiatives and risks by both function and risk definition, we could run reports or aggregation by business unit; by geography (country, region, corporate); by corporate function (S&F, Sales, Compliance, Mar- keting); and so on. Once the system had three years of data, it could provide com- parisons by year, segment, region, and business unit. This enabled the preparation of summary reports, aggregating the issues identified and changes by year, thus allowing the identification of emerging risks, such as the increasing importance of

54 Implementing Enterprise Risk Management

commodity pricing and availability. The reports provided a summary analysis of the data for the segments, which used this to supplement their ERM work.

Unfortunately, we lost our back-office support for these reports after the first year of developing the capability. As such we were unable to run these reports on an ongoing basis thereafter. The learning for others is to ensure that you select software that your team has the capabilities to fully utilize.

TEMPLATE EVOLUTION Over the years our template evolved. Some changes resulted from observations made by facilitators. Others came from participants, either during workshops or from periodic global surveys.

During a workshop, facilitators attempt to limit the number of risks and risk treatments to 10 to 15 each (as many as 20 for very large units). However, having so many risks and risk treatments can lead to clarity without perspective.

The initial template simply listed risks and risk treatments in two columns, without referencing which risk treatments applied to the individual risks. The ERM team found that referencing the risk(s) that the individual risk treatments addressed provided better clarity as to the process. Furthermore, this approach helped to better identify the most critical risks and risk treatments. To leverage this opportunity, participants had to identify the three or four most critical risks, defined as those most likely to adversely impact the initiative. They did the same for the three or four most critical risk treatments (i.e., those most likely to lead to success). This led to more robust voting, as participants had a perspective on the impact and likelihood that the most critical risk would occur, as well as the effectiveness of the most critical risk treatments in aiding the team to achieve its objectives.

Initially, when units identified key actions that they believed would increase the likelihood of success, they were included in the summary reports. However, the ERM team discovered that the failure to assign accountability for the activity frequently led to it not getting done. (I have heard this same issue arise in other companies’ programs.) Consequently, an “Action Plan” section was added to the bottom of the template. This improved the results; however, in one workshop the unit asked if they could assign each risk treatment to an individual. This worked very well.

Through experimentation it was found that adding both a responsible party and a completion date added to the robustness of the process. Typically, units would assign the tasks to either management team members or their direct reports. This helped identify situations where one associate or group had too many activ- ities to address properly those things needed to achieve an initiative’s objec- tives. More important, as the workshop progressed through the day, it frequently became clear that a unit might not have the bandwidth to complete all of their tasks in the time frame allotted. This led to changing deadlines and moving resources around the business in order to improve the likelihood of successfully achieving both individual initiatives as well as overall operating plan objectives. Exhibit 3.6 shows how a completed template from a workshop would appear.


Template for input in Workshops


# Risks Risk Ref #

Action Plan

Risk Treatment Risk Treatment Owner

Greener Green

Due Date

Risk 1 Risk 2 Risk 3 All




2,7,8 5,8 9,10

3,6,7,8 Risk 4 Risk 5 Risk 6 Risk 7 Risk 8

Risk Treatment 1 B. Spinard

B. Spinard B. Spinard

L. Warner

L. Warner

L. Warner

G. Smith End Q4 2011

End Q4 2011

Q3 2012

Q4 2012


Q1 2012 June 2012 May 2012

G. Smith

Risk Treatment 2 Risk Treatment 3 Risk Treatment 4 Risk Treatment 5 Risk Treatment 6 Risk Treatment 7 Risk Treatment 8

Risk 9 Risk 10

1 2 3 4 5 6 7 8 9 10

Exhibit 3.6 Mars ERM Template

SPECIAL SITUATIONS The ERM team found that engaging key early supporters on an ongoing basis had mutually beneficial results for both. Most of the evolutionary improvements and best practices occurred as a result of these activities.

One major European unit sought to improve their growth rate. In 2006 Pete became the CFO, and in early 2007, Susan became general manager of this unit. Pete had participated in the initial South African workshop as well as his new unit’s 2007 Operating Plan workshop. Susan had played the key role in having the ERM team involved in the 2004 European project.

To turn the business around, Susan and Pete wanted ERM to play a key role in the unit’s growth program. They wanted to hold a series of ERM workshops to support the development of their program. The output would be built into and be monitored on an ongoing basis by their project management office (PMO). Over a period of 18 months, the unit held both the normal operating plan workshops as well as strategic ones. In order to increase the buy-in to the strategy by the entire business, they held a two-day workshop involving both the management team and their direct reports. This totaled approximately 30 associates. These associates were divided into several groups to conduct risk assessments of the proposed new strategies and to identify new activities and risk treatements that would improve the likelihood of achieving success. The output included changes to brands that the unit could best leverage. The process also developed support from multiple levels of the business, as they had an active voice in the process. This program of workshops contributed to the unit’s successful achievement of its performance objectives.

In 2007 the company acquired a U.S.-based entity. About a year later Pete became the new CFO and Maria became the general manager. Maria had been

56 Implementing Enterprise Risk Management

general manager of Australia during the first ERM session in 2004, and has been a strong supporter of ERM ever since. They decided to use a similar approach to the one Pete had helped create in Europe, adding additional objectives. In addition to using ERM to assist in the development and stress testing of a comprehensive busi- ness strategy, they wanted to use ERM to assist in evaluating talent, embedding a new culture, and obtaining support from multiple layers of the business from their leadership team, the top 30 or so associates within the business. Over two and a half years, the unit held numerous workshops, both operational and strategic, to help them formulate their strategy and achieve their overall objectives.

Don had been the CFO for the first Australian Food workshop in 2005. In 2007, he became CFO of Japan. He used ERM to evaluate the unit’s strategy. In this case, the unit had the brand manager for each brand come into the room, present the brand’s strategy, and act as an equal member with the management team members in evaluating the likelihood of the brand successfully achieving its objectives. Here again, multilevel participation enhanced the buy-in within the business.

In 2010, Don became CFO of Petcare Asia/Pacific. Like Don, Richard, the GM of the business, had been a long-term supporter of ERM. They decided to use ERM with the regional management team to increase the probability of achieving their objectives. Over a two-year period, we held a series of ERM workshops to help support their development and evolution of their strategy. This included their brand portfolio, asset investment program, individual market investment, asso- ciate development, and so on. In addition to the standard workshop, we helped them with scenario planning to identify risk treatments for competitor activity, regulatory issues, and the like. In their meetings where no workshop was held, Don led the review of the risk profile, and the team voted on the risk profile of each strategic objective.

This team also took the standard template a step further. They categorized the risks and risk treatments by categories within each template. They added a fifth column that specified the actual activity. These were given to either the func- tional head of the region or the functional team underneath them responsible for the activity set—for example, Sales, Marketing, or Supply (i.e., manufacturing and distribution). The respective teams then provided periodic updates as part of the regional management team’s risk profile update process.

The team found this approach beneficial for the team. As their objectives became “Green” and had been achieved, they developed new templates to reflect their updated strategies.

MAJOR ACQUISITION When Mars made a major acquisition of a global confectionery company, the early supporters of ERM at Mars played a key role in the adoption of ERM at the acquired company. Jim, one of our original facilitators, took on a high-level role within the acquired business’ U.S. operations. At his urging, the U.S. GM agreed to have an ERM workshop for the 2009 Operating Plan in early 2009. This workshop was well received within the acquired business.

The GM of European Sugar, during our current state assessment workshop in 2003, had been a key supporter of ERM in various senior roles within Mars. When


he became a senior manager within the acquired company’s European operations, he introduced ERM in this region. Here again the process was well received.

Lee, the S&F Staff Officer for Mars in Asia, who had observed the first work- shop in China and overseen the process in the region thereafter, discussed ERM with Michael, the acquired company’s CFO of Asia. Michael was so intrigued by the process that he had us conduct a 2010 Operating Plan workshop for his largest unit in the region. Following our first workshop, Michael advised us that he had found the process robust, and complementary to their other activities. As such he asked us to conduct additional workshops for the other major markets in his region.

Within two years, we were conducting annual operating plan workshops at business units representing the same high percentage of the acquired company’s global sales that we achieved at Mars.

CONCLUSION In 2010, Mars received the Corporate Executive Board’s “Force of Ideas Award” for ERM. It was the first recipient in this category. The award was based on the view that Mars had successfully embedded ERM into its business model and that other companies had adopted its process.

The key factors in the success of ERM at Mars include:

� We ensured we aligned the program with the approved principles. � We focused on achieving our operational and strategic objectives. We did

not address compliance. We left that to the associates responsible for com- pliance, and assisted them in using our tools as appropriate.

� We focused on evolution and not revolution. As a result, the program had a continuous improvement process.

� Flexibility and not rigidity contributed to the program’s results. By assisting units in developing the workshops and updating processes that best met their needs, the program had a demand for services as opposed to a push. Furthermore, many of the evolutions of the program directly resulted from unit requests.

� The process proved to be a good identifier of talent and an opportunity for associate development for the business.

� The ERM team never overpromised what it could deliver. Instead, we set realistic objectives on our rollout and obtained senior management support throughout.

� The ERM team engaged and conducted periodic surveys of the business units, the Mars management team, and the Mars board’s advisers.

QUESTIONS 1. What represents the key success factors of the program? 2. What improvements would you make? 3. Does this represent an effective risk management program? If not, what is missing? 4. Would this program work for a publicly traded corporation of similar size? 5. How important do you view alignment and accountability among a management team?

58 Implementing Enterprise Risk Management

NOTE 1. For information on Mars’ history, see

ABOUT THE CONTRIBUTOR Larry Warner is President of Warner Risk Group, which provides ERM and risk management consulting services. He has almost 30 years of experience in design- ing and building risk management programs in asset conservation, safety, insur- ance, and enterprise risk.

Prior to establishing Warner Risk Group in 2012, Larry served as Staff Officer of Risk Management for Mars, Incorporated (including Wrigley), based in McLean, Virginia. At Mars, Larry had global responsibility for developing and coordinating Mars’ enterprise risk management activities, directing Mars’ global asset conserva- tion program, managing Mars’ global property and casualty insurance programs and claims, coordinating the auditing of Mars’ safety programs, and overseeing the placement of its global benefit insurance programs. The Corporate Executive Board awarded Mars its 2010 Force of Ideas Award for Risk Management for its embedding ERM into performance management.

Before joining Mars in 1989, Larry was Assistant Risk Manager at Texas Instru- ments. He has a BS in geography and an MBA in risk management and corporate finance, both from the University of Georgia. He is a frequent speaker at national risk conferences and contributor for such organizations as the American Strategic Management Institute, the Conference Board, the Corporate Executive Board, and the Risk and Insurance Management Society.


Value and Risk Enterprise Risk Management at Statoil

ALF ALVINIUSSEN Independent Consultant, Norway

HÅKAN JANKENSGÅRD Researcher, Department of Business Administration and Knut Wicksell Centre for Financial Studies, Lund University, Sweden

The enterprise risk management (ERM) approach to managing a company’srisks promises many benefits. A reading of the literature on the subject willtell you that ERM, among other things, will reduce the frequency of sur- prises, lead to better allocation of resources, improve risk response decisions, and reduce costly duplication of risk management activities (e.g., COSO 2004).

Many companies are finding out that these benefits don’t always materialize easily. It turns out that implementing a holistic, enterprise-wide approach to risk management often challenges the organizational status quo. Powerful individuals and business units face a potential loss of autonomy and are asked to comply with new reporting requirements. “The way we’ve always done things around here” is no longer good enough, it may seem.

In companies where change is resisted, ERM is at risk of becoming an island, an isolated process whose outputs and opinions are largely ignored by decision makers. These so-called ghost ERM programs contribute little or nothing at all to enterprise value. In this chapter we use the experience of Statoil, a Norwegian oil and gas producer, for lessons about how to overcome these organizational chal- lenges and make the potential benefits of ERM become reality.

At Statoil, understanding and managing risk are today considered core values. This principle has been duly integrated into the organization, and is inscribed in steering documents as well as in a booklet handed out to all employees, describing core values, corporate governance, the operating model, and corporate policies. The company has developed a sophisticated approach to ERM that centers on the principle of value creation. ERM is thoroughly embedded in the business units’ way of doing things, and it appears to enjoy the wholehearted support of Statoil’s executive officers and board of directors.

Statoil has, in other words, managed to make ERM into something that makes a real difference. To gain insights about the success factors behind this outcome,


60 Implementing Enterprise Risk Management

we will investigate how Statoil has dealt with the four main general tasks that fall on executives responsible for ERM: (1) make sure that there is an adequate process for identifying, managing, and reporting risks throughout the company; (2) act as a support function to business units in this work; (3) detect and counteract risk management decisions that are suboptimal for the company as a whole; and (4) analytically aggregate risks to support decision making concerning the com- pany’s total risk profile. The first two sections outline the history of ERM in Statoil, and the guiding principles that underpin it.

ERM AT STATOIL: A BRIEF HISTORY Headquartered in Stavanger, Norway, Statoil is one of the world’s top 10 oil and gas producers. In 2012, the company had revenues of 706 billion Norwegian krone, NOK (approximately 120 billion U.S. dollars, USD). In the same year, it had over 23,000 employees worldwide and produced 2,004 million barrels of oil equivalents per day. Known for its operational excellence, Statoil is the global leader in offshore oil production below water depths of 100 meters.

The company has a 40-year history as part of the Norwegian oil bonanza. Orig- inally Statoil was the state-controlled company in the Norwegian model of retain- ing both publicly and privately owned exploration companies. The privately held company Saga Petroleum was acquired by the partly state-owned conglomerate Norsk Hydro in 2000. Norsk Hydro in turn merged its oil and gas division into Statoil in 2007. Statoil is now by far the largest producer on the Norwegian conti- nental shelf.

In 2001, Statoil’s shares were listed on the Oslo and New York stock exchanges. In early 2013, its market capitalization exceeded 80 billion USD. While the Norwe- gian state still owns 67 percent of the company, it operates independently of the state on strictly commercial principles.

After having sold its downstream and petrochemical businesses over the past few years, Statoil is today heavily focused on upstream activities (i.e., exploration and development of oil and gas reserves). Its three business areas focusing on development are divided according to geographical regions (Norway, Interna- tional, and the United States, with the latter being much smaller). In addition, it has four more business areas focusing on marketing, technology, exploration, and strategy.

ERM in Statoil got under way in 1996. Petter Kapstad, who has a background in banking, had been asked to systematize the management of risk in the finance department, which previously had been carried out in a fragmented and uncoor- dinated way. The result of Petter’s work was that the risks managed by the finance department were measured and managed as a portfolio of risks with central over- sight. The then CEO of Statoil, Harald Norvik, realized that the same principles could be applied to the whole company, and that there would be benefits to Statoil from managing its risks in an integrated way. Again, Petter was trusted with the task of leading the company in this direction.

While Statoil’s executive officers were generally positive to the idea behind ERM, they still demanded to know “What is in it for us?” An important part of the answer to this question came from a project group that investigated the costs and benefits to Statoil from various financial transactions, mostly hedging and foreign


exchange (FX) transactions going on in the company. Petter and his group were able to show that the number of transactions was staggeringly high, and that they were mostly based on a silo thinking that made no sense at all as seen from the cor- porate perspective. And, crucially, these transactions were not harmless or mere annoyances. They came at a substantial cost and seriously complicated the com- pany’s accounting as well as the management of exposures. This struck the senior executives as unacceptable. ERM had demonstrated the economic justification it needed. A clear mandate was given.

Early on in the project, Petter met and started working with Eyvind Aven, who shared the same vision of an enterprise-wide approach to risk management. Impor- tantly, Eyvind had a background in economic analysis, which complemented Pet- ter’s experience from trading units. This fact made them bilingual in the sense that they knew the specific terminology and ways of doing things that were prevalent both in the company’s high-profile trading units, as well as in its headquarters. Their ability to speak complementary languages and not being viewed as outsiders was to prove very useful, as many tough decisions lay ahead with people who had an interest in preserving the status quo.

An important early milestone in the implementation of ERM came in 1999, when the Risk Committee, a cross-disciplinary advisory body on risk, was formed. The idea behind creating this committee was to obtain a forum to which people could put proposals and general risk issues for analysis and recommendations. From the very beginning, the committee has been chaired by the chief financial officer (CFO). Its main task is to advise the executive managers and the CFO on risk issues, and is not part of the formal decision process. It consists of a broad range of professionals with different backgrounds, such as the head of strategy, the heads of the main trading units, the chief controllers of different business units, and the head of internal control, in addition to the head of the risk department who is responsible for the agenda and calling for meetings.

In 2000, the risk department was formally set up (headed by Petter Kapstad), and started work on developing a common methodology on risk, as well as con- tinuing the work on developing the company’s consolidated risk model that had been initiated two years earlier. The risk department, furthermore, has the overall responsibility for insurance and the captive insurance company. In 2005, the first enterprise-wide risk mapping process was rolled out.

ERM FOUNDATIONS In the early stages of the project, it was decided that Statoil would not simply imple- ment one of the existing blueprints for ERM. Nor did Petter and Eyvind want it to be, or it would be seen as another control function.1 They had something else in mind. They wanted a framework that made sense to Statoil, and that centered on the two basic goals of the company: to create value and to avoid accidents. Keep- ing people and the environment safe are the first priority and supersede any other objective.2 Beyond those basic objectives, however, risks are to be managed in a way that maximizes the value of the company. This insight has a number of impli- cations, which are explored in this section.

To begin with, the focus on value affects the very way risk is defined in Statoil. According to Statoil’s philosophy, which is widely communicated internally,

62 Implementing Enterprise Risk Management

risk encompasses not only downside risk but also upside potential. This philos- ophy has even found its way into the corporate directives of the company, which state that “risks shall be identified and analyzed, including both upside and down- side impact.” On this dimension, existing off-the-shelf ERM frameworks were con- sidered too oriented toward regulatory compliance and risk avoidance. The Sta- toil philosophy instead recognizes that risk taking is unavoidable, even necessary, to create value for shareholders.3 What matters is that the risks are well enough understood and found acceptable, given their downside risk and upside poten- tial. Reflecting this thinking, the risk maps in Statoil have been developed to show probability and impact not only for the downside, which is the most common way of constructing these maps, but for the upside as well (see Exhibit 4.1).

Statoil’s risk map captures both upside potential and downside risk for any given risk factor. On the x-axis is the probability of occurrence. On the y-axis is the impact figure, measured as the pretax impact on earnings (USD millions). Note that the impact is measured relative to the forecasted value of earnings. All reported risks will be considered twice in the map. The first is its potential contribution to upside potential (to be entered above the line), and the second is its contribution to downside risk (to be entered below the line). These two points are a summary, or synthesis, of the entire range of potential outcomes for the risk factor in ques- tion. For example, the risk factor denoted Risk A in the exhibit has a 5 percent probability that the outcome will be somewhat better than expected. However,

Risk A





1 2











1% 5% 10%15% 25% 50% 75% Probability

Im p

ac t

C at

eg o

ry Risk Map for XXX Nov.8, 2011USD Million





P re

ta x

Im p

ac t

Exhibit 4.1 Risk Map






Crude oil

Fuel oil Gas oil Jet kero Gasoline Naphtha


Currency and interests

Accidents Catastrophes HSE risks Project risk Production risk Reservoir risk Country risks Tax risks

Market risks

Operational risks

T h

e ri

sk s

th at

m at

te r

Crude oil

Natural gas



Dry gas

Exhibit 4.2 Statoil’s Value Chain

there is a 10 percent probability of a fairly significant loss relative to the forecast (USD 200 million). For this particular risk, the downside risk is larger than the upside potential.

As already mentioned, value creation is the basic guiding principle for ERM in Statoil. That is demonstrated by the emphasis the company puts on viewing risks in a value chain perspective. In the corporate directives it is written that the com- pany’s approach is to “identify, evaluate, and manage risk related to the value chain to support achievement of our corporate objectives” (original emphasis). Statoil’s value chain is outlined in Exhibit 4.2, showing how its main activities progress from upstream (oil exploration and development) to downstream (petroleum refine- ment) to market (selling its products into various global markets).

Statoil’s value chain consists of three main stages: the exploration and devel- opment of oil and gas reserves (upstream); the refinement of hydrocarbons into various petroleum products (downstream); and the selling of crude oil, gas, and refined products into different markets. The most important risks (“the risks that matter”) have been divided into two categories: market risks and operational risks.

What difference does the value chain perspective make? First, it serves as a clear signal to everybody involved (i.e., Statoil’s employees and other stakehold- ers) that value creation is the metric being pursued through ERM, and it is the impact on Statoil’s performance that ultimately counts. Statoil’s thinking on this issue is that if ERM is limited to managing risks related to goal achievement in var- ious business units, the result will be “satisficing” rather than value maximizing.4

Another important benefit of the value chain perspective relates to the fact that the large number of risks identified in the risk map can make it challenging

64 Implementing Enterprise Risk Management

to understand what is really going on. By sorting the risks into a value chain, one can more easily see the bigger picture and, through the lens of the company’s business model, see how the different risk categories hang together. In other words, the value chain perspective allows Statoil to rework the knowledge about risk contained in the risk maps into something that is more analytically and logically coherent.

The concept of core risks further underlines the central role of value creation as a guiding principle for ERM in Statoil. To understand this concept, we need to go back to 2001, when the company’s shares were listed.5 During the listing process, there were investors looking for arguments as to why they should invest in Statoil. Recognizing that investors were entitled to information about what exposures they were getting when they invested in Statoil shares, the company formulated the idea of core risks, understood as the risk exposures that an investor would expect, and even desire, to have from buying Statoil shares (the most important of which was the exposure to oil and gas prices). The core risks are owned by the CEO of the company and are coordinated centrally in the organization. One of the prac- tical consequences of this is that trading mandates throughout the company have been substantially restricted and placed under central scrutiny. At the end of the day, this should increase the transparency and predictability of the risk exposures obtained by investing in Statoil shares, which lowers the risk premium investors attach to the company and hence also its cost of capital (Jankensgård, Hoffman, and Rahmat 2013).

ERM PROCESSES IN STATOIL TODAY So far we have discussed the history of ERM in Statoil and the guiding principles underpinning it. We now turn to the more practical issues of what tasks execu- tives need to address for ERM to work in practice and for its potential benefits to be realized. The first two tasks, covered in this section, are making sure there are adequate processes in place for managing risks throughout the organization, and acting as a support function to the business units as they go about this.

Let us dispel a potential misunderstanding. ERM does not imply that all risks should be managed, or owned, centrally in a company. While some risks certainly are managed centrally in Statoil (its core risks, as discussed in the previous section), the business areas are responsible for managing the large majority of the risks that arise in their lines of business.

Just because a business area has been designated the owner of a particular risk, however, doesn’t mean that sound management of this risk automatically follows. Corporate management needs to ensure that risk management in the business units is of sufficient quality. Corporate management also has a legitimate right to be informed about the main risks in each business unit and what is done about them. These considerations lead us to what for many is the bread and butter of ERM, namely the process of identifying, mitigating, and reporting risks. For brevity, we will refer to this as the “risk mapping process.”

In Statoil, the risk mapping process follows a quarterly rhythm, which is the frequency at which the business units are required to update their risk maps. This is not just a numbers exercise. The units are expected to provide discussions and justifications for their assumptions, and explain what their policy on each main


risk is. As part of the company’s quarterly review meetings,6 they also meet with top management to discuss the status with regard to major risks. These two facts— providing written justifications and actually meeting with representatives of top management and the risk department—go a long way toward ensuring the quality of the outputs of this process (the probability-impact estimates). Since the business units know this lies ahead, they have every reason to do a good job preparing and thinking through their estimates of risks (and their mitigation actions). It also counteracts any tendency to think along the lines that “this risk certainly exists, but it surely will not happen during my time in office, so I will just do nothing.”

The risk department, in turn, writes a brief in response to the business units’ risk maps, which is sent to executive management. Statoil’s board of directors is also briefed on the risk profile on a quarterly basis, and they receive a condensed version of the risk map prepared by the risk department.

The risk department is not only a supervisor of the risk mapping process. It also provides support to business areas and helps spread best practices. It has the expertise and resources to assist business units in multiple ways from advice on how to manage a particular credit risk to suggesting a methodology for quantifying a certain market risk.

A useful example of the role of the risk department as a resource available to support business areas in their commercial activities comes from country risk. Statoil’s risk department has, in collaboration with consultancy firm IHS Global Insight, developed a deep expertise in this area, which is of particular importance to a company active in many of the world’s most risky countries. This effort has resulted in a large internal knowledge base on country risk, as well as a stan- dardized methodology for evaluating country risk as part of new investment pro- posals. The business areas are able to draw on these resources, and work with the risk department to reach the appropriate policies for each country and new investment.

In the risk mapping process, rigorous quantification of probability and impact has been considered essential to make the risk maps useful to support decision making. Quantification brings a focus on the financial bottom line of the company, and makes it possible to compare different risks in a meaningful way. What one person would label a large risk may well be a small one to someone else, depending on references.

OPTIMIZING TOTAL RISK The two tasks related to ERM discussed so far, the risk mapping process and the role of adviser to the business areas, are conceptually straightforward. The third, avoiding risk management decisions that are suboptimal for the company as a whole, is less so. To increase the understanding of the issue, we will discuss several practical examples in this section.

In Statoil, avoiding suboptimal decisions is also known as “optimizing total risk.” Optimization of total risk has been unyieldingly pursued by the ERM team, with several tangible benefits for the company. The value metric that underpins ERM in Statoil implies that it is the perspective of the company as a whole that should rule in practical situations where different individuals and business units may have differing views on how to proceed.

66 Implementing Enterprise Risk Management

A straightforward example of possible suboptimal behavior concerns foreign exchange (FX) risk management. Consider a situation where one business unit is selling into a market where the product is quoted in U.S. dollars, and another unit is sourcing material priced in the same currency. Whereas each unit may have an incentive to manage its own exposure, what counts for the company as a whole is the net of these exposures. Lacking a central policy, risk could be overmanaged to the extent that managers of business units use FX derivatives to cover exposures that would cancel out from the perspective of the company. Apart from the burden- some accounting that derivatives cause, there are also significant direct costs from such overmanagement of risk. Statoil calculates that if two business areas simul- taneously cover a USD 10 million exposure (by no means a large hedge by Sta- toil’s standards), it would incur transaction costs of around NOK 180,000 (assum- ing a USD/NOK exchange rate of 6 and a bid-ask spread of 30 basis points). Since ERM was implemented, Statoil has withdrawn the ability of business units to set their own policy with regard to FX derivative usage. Besides avoiding the trans- action costs just mentioned, a centralized FX derivative policy entails a number of other advantages, such as business units focusing on their core activities and an increased ability to coordinate the derivative policy with other corporate policies; see Jankensgård (2013) for a detailed discussion.

Our second example of potential suboptimization concerns the hedging of oil and gas exposures. Prior to ERM, business units used to have fairly generous man- dates to hedge their exposures to these market prices. This created a potential prob- lem from the perspective of the company as a whole. Besides complicating the assessment of net exposures on the corporate level, the business units were basing their hedging decisions on criteria that were disconnected from the goal of maxi- mizing value. What drove a unit’s decision to hedge was instead a desire to lock in prices when they were above the price that was assumed when targets were set for the year, but to leave them unhedged otherwise. If the business plan had assumed an oil price of $100 and it later climbed to $115, the unit could use a derivative con- tract to lock in this level, which ensured it would beat the target and could collect a bonus for the year. As mentioned earlier, these mandates have been gradually reined in and subjected to strict limits set centrally in the organization.

A third example of a business unit optimizing its own risk/return with the result being suboptimal decisions for the company overall comes from Statoil’s captive insurance unit. Previously this unit sought to justify its existence as a stand- alone unit by showing robust profits. In so doing, it benefited greatly from the implicit guarantee provided by Statoil’s credit rating and strong balance sheet. From the perspective of ERM, this is incorrect. Rather, the captive should be a tool for Statoil in optimizing total risk. Today the captive does this. The insurance pol- icy of Statoil now targets the things that matter: the really big risks related to busi- ness continuation. That is, the insurance program focuses on the risks that really could throw Statoil off course, and ignores (i.e., self-insures) the lesser risks that ultimately have no significance for Statoil’s ability to meet its overall objectives.

TOTAL RISK OPTIMIZATION: LESSONS LEARNED Optimizing total risk may sound simple in principle. Indeed, it is one of the supposed core principles of ERM. ERM texts routinely contain phrases like “avoid


duplicating costly risk management activities” and emphasize this as one of the main benefits of ERM (as opposed to a silo or decentralized approach to risk management).

In reality, optimizing total risk is not so easily achieved. A key reason for this is that it threatens the established way of doing things. Powerful units and individ- uals may have little interest in conforming to ERM because it reduces their auton- omy and requires a change in how they work. Some deeply rooted habits may need to change. As a result, many will resist, which may prevent an ERM program from lifting off the ground.

Consider also the way the ability to manage risk hangs together with the sys- tem for performance measurement used by the company. Let’s say a business unit is evaluated on its earnings before interest and taxes (EBIT). Since the unit is responsible for its own result, it seems only reasonable that it should have the freedom to manage the risk exposures related to it. However, this conflicts with the legitimate goal of headquarters to centralize management of FX risk or other core risks (e.g., oil prices) given the substantial benefits of a centralized approach (as discussed earlier). Hence, we have a conflict between the desire to central- ize risk management and the way the company measures the performance of its business units.

So how do you succeed in making the ERM mind-set take root despite these potential problems? A few factors stand out in Statoil. For example, the company has ensured that key performance indicators (KPIs) and balanced scorecards that the company uses to evaluate its business units are, to the extent possible, unaf- fected by the centrally managed core risks we introduced earlier. This is a very important principle, because it resolves many of the potential conflicts of interest that could arise from centralizing risk management. As mentioned, energy prices and exchange rates could greatly impact the company (e.g., its EBIT), which could create incentives for the business units to manage these risks. In Statoil, however, the performance measures used have been designed to exclude the impact of these external factors. This means that the company achieves central management of these risks but largely avoids the discontent that could result from business units having to live with large risk exposures.

Beyond established KPIs and scorecards, work has also been done to make taking the best decision for Statoil the normal and expected thing for an employee. Obvious though the foregoing may sound, many units are, for often quite under- standable reasons, very focused on meeting their own targets and consequently do not see beyond the border of their unit. The ERM team has, however, sought to make it part of anyone’s job description to think in terms of Statoil’s net benefit. People have been made aware that this is expected of them.

Another success factor in this regard has been to spend significant amounts of time beforehand thinking about what the ERM should ultimately look like, and why. Petter and Eyvind call this “doing one’s homework.” Having a coherent set of arguments ready to defend a particular measure meant to optimize Statoil’s total risk has made it much easier to stand firm when people resisted change.

The Statoil experience also illustrates the importance of getting the Risk Com- mittee right. If not done the right way, such a committee will continue in old tracks and look at risks in a silo fashion. Attendance will be low and the committee’s utter- ances will carry little weight. If done right, however, it will develop into an effective

68 Implementing Enterprise Risk Management

ERM champion whose recommendations are widely respected and translated into action.

The Statoil Risk Committee today is indeed a guardian of Statoil’s best inter- ests in matters related to risk. It effectively functions as an ERM filter in which difficult questions are voiced and resolved. Policies that were earlier set in isola- tion in a particular department now have to pass through the Risk Committee. For example, Statoil’s FX policy is prepared by the finance department, but needs to be thoroughly discussed and supported in the Risk Committee.

A useful example of the committee’s role in resolving issues related to total risk optimization comes from the process of setting performance KPIs and score- cards for business units (as discussed earlier). Wrongly formulated targets are seen as a threat to total risk optimization, because they may encourage a behav- ior that runs counter to this goal. The Risk Committee counteracts such ten- dencies by checking if a particular target makes sense and is compatible with Statoil’s overall best interests, a loop that in Statoil is referred to as “pressure test- ing” the targets.

What accounts for Statoil’s success in turning the Risk Committee into an ERM champion? The importance of having the unwavering support of key individuals in the executive team cannot be overstated here. Moreover, setting up an interest- ing agenda with a certain content of education (especially in the early days of the program) seems to have been a key success factor for the Statoil Risk Committee. The Statoil experience also shows that the committee should remain a specialist forum, and that one should stay away from attempts to integrate it with top man- agement. Ultimately the Risk Committee needs to remain an advisory body, not an executive one, though it needs to carry enough status to be seen as the real arbiter on risk-related issues in the company.

RISK AGGREGATION Developing risk maps and assembling the risk register produces a lot of informa- tion about risks, in qualitative as well as in quantitative terms. The simple fact that these processes are in place provides some reassurance that the risks are recog- nized and given proper attention. This is a goal in and of itself.

While in many ways essential to an ERM program, risk maps are largely static devices that don’t allow codependencies between risks to be taken into account in any meaningful way. As a straightforward example, consider the relationship between the oil price and the USD/NOK exchange rate. Given the oil depen- dency of the Norwegian economy, this exchange rate tends to be sensitive to the price of oil, which is quoted in USD. Over the decades, this has provided Norwe- gian oil companies with a natural hedge: A lower oil price tends to weaken the Norwegian krone, as less oil revenue needs to be converted into NOK. Such dynamic relationships are hard to capture in a risk map, yet they are highly rel- evant to the risk management strategies of these companies.

Nor do the risk maps easily translate into an overall estimate of the uncertainty in the firm’s future performance, as expressed through financial bottom lines such as earnings, liquidity, or balance sheet ratios. These shortcomings of the risk maps bring us to the fourth task facing the executives responsible for an ERM program: aggregating the firm’s portfolio of risks into some indicator, or metric, that can


guide the company’s executive team (and board of directors) in matters related to the firm’s overall risk profile.

Alviniussen and Jankensgård (2009) argue that most ERM programs today are detached from the analytical work of predicting and managing the firm’s financial position. Not taking into account the firm’s financial situation means that, despite the ERM effort to identify and quantify risks, an estimate of aggregate risk con- tinues to elude companies implementing ERM. In the enterprise risk budgeting (ERB) approach proposed by these authors, the risk register is integrated with the firm’s financial planning process to generate risk-adjusted forecasts of important enterprise-level indicators of performance and financial health.

To address the concerns voiced in the previous paragraph, companies need to take a more analytical and quantitative approach to risk management. In practical terms this implies building a model that combines the company’s many different risks into a probability distribution for some bottom line considered important, such as earnings or its debt-to-assets ratio. From such a probability distribution, summary risk statistics can be obtained—for example, the loss in earnings associ- ated with a certain probability (this measure is known as earnings at risk). Gen- erally, this approach requires some form of simulation methodology (e.g., Monte Carlo simulation).

Statoil’s corporate risk model, briefly introduced earlier in this chapter, is based on these principles. It contains a sophisticated methodology for estimating the amount of variability in the firm’s main risk exposures, based on historical time series, as well as estimates of the tendency of these risks to co-vary. It lets the user select an output from a list and, within a few minutes’ time, obtain a probability distribution for this variable. Moreover, the user can learn what the probability dis- tribution would look like under an alternative course of action. For example, the model allows the user to overlay the probability distribution for net income with a second distribution that takes into account a certain risk management strategy (e.g., buying put options covering a certain fraction of the company’s net exposure to the oil price). Such an overlay is illustrated in Exhibit 4.3.

Statoil’s risk model allows the company to produce a probability distribution for various financial parameters considered important, such as earnings or return on assets employed. The obtained probability distribution can be used to derive summary risk statistics of the company’s overall risk. In this graph, the base case outcome distribution (the darker line) for net income is compared with what it would look like if the company implemented a large-scale hedge of the oil price (the lighter line). The values of net income on the x-axis have been deliberately hidden. The vertical dashed line represents the value of net income associated with the 5th percentile of the probability distribution, a measure commonly referred to as net income at risk (or earnings at risk).

THE FRONTIERS Part of the philosophy of ERM in Statoil is never to lean back and consider the job done. While the progress in achieving the necessary buy-in for new approaches is gradual and sometimes slow, the frontiers are pushed ever forward. Decision mak- ers around the company need to have their worldviews challenged, as the thinking goes, and to be provoked into new ways of looking at things.

70 Implementing Enterprise Risk Management







0.03 Statoil Portfolio with Oil Hedge

Fr eq

ue nc

y of

O cc

ur re

nc e

(% )

Exhibit 4.3 Comparing Different Risk Profiles

One area where work is currently being done is giving the concept of risk appetite a content that is meaningful to Statoil. Risk appetite is commonly con- strued as the amount of risk exposure a company is willing to retain in order to pur- sue the upside potential it considers appropriate and desirable. True to its tradition of quantifying risk, Statoil frames risk appetite in terms of several quantitative risk measures. The variable, return on capital employed (ROCE), is one of the perfor- mance indicators that Statoil considers useful in this regard since it sums up the net effect of a large number of risk exposures. Risk appetite in Statoil is about formulat- ing, for a given upside, how large of a potential shortfall, or tail risk, Statoil is will- ing to accept in terms of a particular performance indicator; see Jankensgård (2010) for a discussion about constructing shortfall risk measures in an ERM context.

Another area where Statoil is pushing the frontiers concerns the relationship between ERM and strategy. As part of this project, the ERM team has developed estimates of how different strategic paths would contribute to different risk cate- gories, such as reservoir risk, implementation risk, market risk, or risks related to health, safety, and environment. Depending on which strategic path is considered, the composition of the company’s overall portfolio of risk would gradually shift in a particular direction (see Exhibit 4.4). This initiative is about clarifying the nature of this impact and making senior decision makers aware of the consequences of their strategic decisions.

This graph illustrates how different strategic paths would, if implemented by management and the board of directors, impact the overall composition of Statoil’s portfolio of risks. Each bar represents a strategic path, and the shadings indicate the relative importance of different types of risk (country risk, market risk, imple- mentation risk, and so on). The y-axis shows the expected risk (probability/impact)


Risk Specifications—Segments

Impl. Impl.Impl.Impl.Impl. Impl.



Market MarketMarket Market

Market Market



Coun. Coun. Coun.

Coun. Coun.Coun.










Impl. Impl. Impl. Impl.

Impl.Impl. Impl.


Market Market

Market Market




Coun. Coun.

Coun. Coun.















Strategic path 8Strategic path 7Strategic path 6Strategic path 5Strategic path 4Strategic path 3Strategic path 2Strategic path 1

R is

k F

ig ur

e in



ill io


Strategic Paths

Exhibit 4.4 ERM and Strategic Risk

associated with each strategic path on both the upside and the downside. Note that certain risk categories appear on both the upside and the downside, and that these impacts need not be equally large. This asymmetry is at hand also for market risk, due to differences in marginal taxation across different income levels for oil compa- nies. In the final decision making, the risk profile of each strategy path would have to be compared with the estimated investment outlays and the expected return on investment (not shown in the graph).

CONCLUSION In Statoil, understanding and managing risk is today considered a core value of the company that is written into the corporate directives and widely communicated to employees. ERM is thoroughly embedded in the organization’s work processes, and its Risk Committee has managed the transition from a silo mentality to pro- moting Statoil’s best interests in areas where risk needs to be considered. The com- pany has introduced the concept of core risks, which are the risk exposures that the company needs to manage consistently vis-à-vis its investors and which therefore require central management. In several areas where risk management used to be pursued in a silo fashion, based on incentives existing locally in the organization, risk is now optimized from the perspective of the company as a whole. ERM in

72 Implementing Enterprise Risk Management

Statoil is not a control function aimed at minimizing risk, but dedicated to the goal of maximizing enterprise value given both downside risk and upside potential.

Achieving these outcomes is by no means trivial, because it challenges the organizational status quo and forces people to think and act differently with regard to risk. Statoil’s success in achieving these outcomes is largely explained by the diligent work of a few key individuals, who consistently over many years have pursued a risk management program that maximizes the value of the company as a whole, as well as the strong support of the executive officers and directors. The ERM program has involved changing people’s attitudes toward risk, and making Statoil’s enterprise value the metric that people are ultimately expected to pursue. It has also involved thoughtfully changing the performance evaluation systems in ways that address the potential conflicts of interest that result from centralizing risk management.

QUESTIONS 1. Why might it be in a firm’s best interest to centralize the management of some risks but

not others? 2. Describe why the organizational status quo might lead to resistance to ERM implemen-

tation. How can this potential resistance be overcome? 3. How do you succeed in making sure that the risk committee really turns into an ERM

champion, as opposed to continuing in a silo mentality? 4. What are the costs and benefits of integrating the ERM risk register in the firm’s financial

model to obtain “risk-adjusted” financial forecasts? 5. What are the key financial risk factors that a company could encounter? 6. What should limit Statoil’s capacity to invest in profitable new oil projects, that is, take

on new risks? 7. For which risk factors would it be advisable to use Monte Carlo simulation to quantify

the distribution of outcome? 8. In what cases would it be relevant for an oil company to consider effects of correlation

between risk factors in quantifying risk?

NOTES 1. This is not to suggest that internal audit has been excluded from the ERM process. On

the contrary, internal audit has been strongly supportive of ERM and has contributed valuable resources to it.

2. This is underscored by the fact that the risks related to health, safety, and environment are the responsibility of a separate corporate function (Corporate Safety).

3. Statoil’s internal communication puts it this way: “We live by taking risks.” 4. The term satisfice was introduced by the American researcher and Nobel laureate Herbert

Simon in 1956. It refers to a decision-making strategy that seeks to achieve an acceptable outcome, as opposed to the optimal outcome, which requires expending more time and effort.

5. Statoil’s shares were simultaneously listed on the New York Stock Exchange. 6. The quarterly review meetings are occasions in which top management meets with busi-

ness areas to discuss the unit’s performance vis-à-vis previously agreed targets. This refers to the unit’s overall financial performance as well as specific key performance


indicators. Risk is therefore only one of several issues on the agenda for these quarterly reviews.

REFERENCES Alviniussen, A., and H. Jankensgård. 2009. “Enterprise Risk Budgeting: Bringing Risk Man-

agement into the Financial Planning Process.” Journal of Applied Finance 19, 178–192. COSO. 2004. Enterprise Risk Management—Integrated Framework. New York: Committee of

Sponsoring Organizations of the Treadway Commission. Jankensgård, H. 2010. “Measuring Corporate Liquidity Risk.” Journal of Applied Corporate

Finance 22, 103–109. Jankensgård, H. 2013. “Does Centralization of FX Derivative Usage Impact Firm Value?”

European Financial Management, forthcoming. Jankensgård, H., K. Hoffman, and D. Rahmat. 2013. “Derivative Usage, Risk Disclosure, and

Firm Value.” Financial Management Association Europe Conference Paper.

ABOUT THE CONTRIBUTORS Alf Alviniussen is former Group Treasurer and Senior Vice President of Norsk Hydro ASA, Oslo, Norway. After 42 years in the company holding leading posi- tions within the group treasury and corporate finance, including responsibility for risk management and financial planning, he is now acting as an independent con- sultant.

Håkan Jankensgård holds a PhD in risk management from Lund University, Sweden. He is the former risk manager of Norsk Hydro and has more than 10 years’ experience in advising companies on their risk management strategies. He is cur- rently a researcher in corporate finance at the Department of Business Administra- tion and Knut Wicksell Centre for Financial Studies, Lund University.


ERM in Practice at the University of California Health System GRACE CRICKETTE Senior Vice President and Chief Risk and Compliance Officer, AAA Northern California, Nevada, and Utah; former Chief Risk Officer, University of California

The University of California’s Health System is comprised of numerous clini-cal operations, including five medical centers that support the clinical teach-ing programs of the university’s medical and health sciences schools and handle more than three million patient visits each year. The medical centers pro- vide a full range of health care services in their communities and are sites for the development and testing of new diagnostic and therapeutic techniques. Collec- tively, these centers comprise one of the largest health care systems in the world.

The University of California Office of the President’s Office of Risk Services is responsible for developing and implementing enterprise risk management (ERM) systemwide, identifying and developing strategies to minimize the impact of risk, developing a center of excellence for managing risk, reducing costs, and improving safety by executing new ideas and strategic plans in a rapid manner in support of the university’s mission of teaching, research, public service, and patient care.

THE ENTERPRISE RISK MANAGEMENT PROGRAM The University of California (UC) System began an ERM initiative as a natural progression of making the decision to adopt the Committee of Sponsoring Organi- zations (COSO) Internal Control—Integrated Framework in 1995, and in that same year UC’s vice chancellors for business and finance accepted an internal audit rec- ommendation to adopt COSO as the Internal Control Integrated Framework for the university. In 2004, COSO’s inclusion of enterprise risk management into its model led to the hiring of a chief risk officer (CRO) tasked with implanting enterprise risk management.

The chief risk officer, who had previously implemented ERM for a publicly traded company, set out to learn about the operations and culture of the university and identify what ERM activities were already in place and where there were gaps, and what would be the best approach for implementing ERM. Visits were made


76 Implementing Enterprise Risk Management

to all of the campuses and medical centers, and leaders from various departments and disciplines were gathered together and asked: How do you know if you are doing well? What data do you have to let you know how you are doing? Leadership clearly was able to articulate their objectives and the risks that could impact those objectives, but the data for measuring and monitoring were not timely and were primarily ad hoc, annual, and manual. The information gathered through these meetings was critical for understanding and developing the key performance indicators (KPIs) that would later become an important component of the ERM program. (See What Is a KPI?)

What Is a KPI?

Generally, strategic or operating plans will identify the critical success factors and key goals of an organization. Critical success factors are the areas that the organization must focus on and do well in to satisfy customer/client needs. An example may be “meeting client expectations.” KPIs are derived from crit- ical success factors and define these critical success factors into more meaning- ful criteria. For example, the critical success factor of “improve productivity” might have KPIs such as cost, service quality, cycle time, streamlining of pro- cesses, and reduced duplication and/or rework.

How often can KPIs be updated?

KPIs can be updated as frequently as the data they are drawn from is updated. Some examples: Claims information, daily Payroll information, monthly Construction scheduling, quarterly

How is improvement measured with KPIs?

Improvement is measured by looking at ratios between time periods relative to risk. For example, in the area of workers’ compensation:

Recordable rate = Number of injuries relative to the hours worked

Next, an ERM panel was formed to develop an ERM strategy. The ERM panel included management representatives from the Office of the President, the campuses, and the health system. The CRO along with the ERM panel recognized that, given the complexity of the university’s operations and the general decen- tralization of services and information, technology would need to be leveraged to identify, manage, and monitor risks. The overall strategy was to develop a data warehouse that could manage information already being collected by various groups, existing programs, and initiatives throughout the system—an enterprise risk management information system (ERMIS). Once consolidated in a single


location, the data could then be used to analyze processes, risks, and controls systemwide.

As the ERMIS was being developed, the CRO commissioned a cost of risk study to be able to measure and monitor success of the ERM program. The first Risk Summit was held with more than 100 attendees, and the charge was given to the attendees to reduce the cost of risk by 16 percent in 24 months. How? At the summit the program Be Smart about Safety (BSAS) was launched, which was the first of many initiatives focused on preventing and managing risk. The uni- versity not only met this charge, but exceeded it by meeting the target in only 18 months.

Leveraging Technology to Support ERM

UC continues to develop the ERM information system (ERMIS), a flexible and dynamic system, to give campus stakeholders at multiple levels the information they need to make business decisions in a timely and effective manner. The ERMIS essentially “democratizes” information, in that it has the ability to provide key data and reports to personnel at all levels and locations of the university. As the data integrated has become richer and its use more widespread, the value of the ERMIS has grown in creative ways.

The ERMIS started with simple risk assessment tools and expanded to include:

� Dashboard reporting on major areas of risk � Control and accountability tracking platform � Risk mitigation and monitoring tools � Survey capabilities

All of these tools can be used independently or interdependently, allowing for:

� Better quantitative analysis capabilities � Improved analytical and reporting capabilities � Support for leading risk governance and compliance processes � Systemwide visibility, with local flexibility � Scalability without additional burden on UC staff

While the ERMIS dashboard system is prepopulated with some KPIs, UC con- tinues to work with each location to develop KPIs that are helpful to supporting the location’s own initiatives. ERM groups find the ERMIS to be an important tool for identifying and understanding risks. The system will also support the monitor- ing of internal controls and accountability, providing valuable information to the controllers and internal auditors. These capabilities lower the overall cost of risk (oftentimes associated with day-to-day operations) across the institution.

The creation of automated reports within the ERMIS increases workforce effi- ciency. Redundancy is reduced by the creation of automated reports made read- ily available to those with a need to know. Instead of having the same or similar reports being developed and maintained without the benefit of shared knowledge at different divisions, departments, schools, campuses, medical centers, and other

78 Implementing Enterprise Risk Management

ERM Process

Monitor Risk Control and Mitigation Report to Management

Quantify Risks

Identify Risks

Audit Risks

Risk Management Summary Reporting

High-Level Stakeholders

Define Analyze Control/Monitor Evaluate

Exhibit 5.1 ERM Process

locations, the ERMIS enables sharing of analyses and information easily and effi- ciently across multiple different locations. (See Exhibits 5.1 and 5.2.)

Creating a Risk-Aware Culture

The foundation of the University of California’s enterprise risk management pro- gram is to have people actively manage their various risks—everyone is a risk man- ager! One key to creating a culture where everyone is a risk manager is to give them tools that meet their specific needs. That means developing different tools, work groups, and initiatives, but delivering them in a cohesive and integrated manner. Also, how can we create personal ownership for identifying, managing, and moni- toring risk? A group of forward-thinking people at UC Davis came up with a solu- tion, and the My Managed Risk portal was born!

The My Managed Risk (MMR) portal was designed as an entry point to the services and resources provided by the Office of Risk Services. It serves as a cen- tralized location for authorized users to access enterprise risk management–related tools and information. The portal allows users direct access to their authorized ERM applications, as well as the ability to view content related to the ERM Solu- tion Set, and at the same time to stay informed of up-to-date news and articles directly related to enterprise risk management. The streamlined design also pro- vides an efficient way for users to search within the MMR portal in order to retrieve contents of interest quickly. (See Exhibit 5.3.)

Health System Specialized Programs

The UC Health System participates in and benefits from all of the tools and pro- grams that come under the umbrella of ERM, but, in keeping with delivering the right tools to the right people, UC continues to develop programs specific to health care.


Exhibit 5.2 ERMIS Dashboard Samples

Dashboard Name Description

CFO Division AIM: Actionable Information for Managers

Promote positive administrative behavior at the campus level via campus-by-campus comparisons. Results are indicative of business/operational performance and are within Chancellor’s realm of control.

Financial Accounting Count of hand-postings, direct deposits, electronic W-2 and payments, CFR reports, and percentage of transaction not cleared.

Financial Services and Controls

Connexxus participation, travel spend, and savings. Purchase card expenditures, administrative efficiency, and incentives.

Procurement Services Systemwide procurement savings, procurement spend under management, and percentage of transactions processed electronically by location.

External Finance, UC Bond Debt

Provides visibility and trending on UC bond debt by location.

Medical Quality Extends medical quality reporting data to support risk management activities.

Travel Incidents, Calls, Claims

To correlate and report data from all travel insurance and travel agencies for UC students and staff traveling throughout the United States and world (anticipated).

UCSF PD Early Warning System Report

Provides UCSF PD leadership the ability to track and identify patterns of multiple staff complaints/investigations/incidents.

UC Travel Dashboard— Connexxus

Tracks campus adoption of the Connexxus travel system and actual savings for campuses that utilize Connexxus.

Waste Diversion Contains results of the annual waste diversion campus survey. Allows for comparison of recycling/waste diversion between campuses.

Human Capital Dashboard

Provides human resources–related correlations by department and reason description by utilizing enrollment, FTEs, head count, hours, EPL claims, employee separation/retirement, OSHA rates, and harassment prevention training.

Safety Index Dashboard Provides safety-related loss and exposure correlations by department and cause description by utilizing the following elements: WC claims, FTEs, hours, head count, vehicles, GL, student population, acres, property losses, and OSHA rates.

Safety Index ROI Enhancements

Illustrates the direct and indirect costs of safety risks at UC locations and enterprise-wide.

UC Ready Provides mission (business) continuity plan completion counts for all locations at the department level.

UC Ready Department-Level Enhancements

Systemwide continuity plan completion and activity metrics at department level.

Reputational Risk (CDPH) Provides aggregated counts and trends for medical center–related complaints and penalties as reported by California Department of Public Health.

Reputational Risk (OSHA Cube)

Allows visibility in OSHA claims against UC locations that may cause reputational risk to UC.

Office of General Counsel (OGC)

Provides visibility to legal cost by locations.

Medical Center Provides Medical Center loss and exposure trends and correlations.

Medical Center PL Cube Provides users the ability to create ad hoc reports utilizing selected Medical Center claims data.

80 Implementing Enterprise Risk Management

Exhibit 5.3 UC My Managed Risk Portal

Integrating Traditional Risk Management into ERM Are traditional risk management and ERM two separate programs, concepts, and disciplines? The short answer is “No.” Rather, the traditional risk management practices are critical components that make up the ERM portfolio. To get at the big enterprise picture for incidents, events, and claims arising out of the medical centers and hospitals, UC developed an approach to the evaluation of medical inci- dents, events, and claims. (See Exhibit 5.4.)

Trending, monitoring, and reporting of adverse clinical events and their root cause(s) are done as part of ERM:

� Each University of California Medical Center uses a web-based clinical inci- dent reporting system that permits any staff member to report an event or near miss. The university medical centers are moving to a commercial inci- dent reporting platform that will be consistent across all facilities and permit comparison reporting.

� Each of the UC medical centers has individuals (category managers) who are responsible for the monitoring and evaluation of certain types of events and taking action on them. The Office of Risk Services has access to this system and receives notice of significant events through the system.

� Trend reports are prepared for facility patient safety and quality commit- tees and forwarded through the facility committee structure to the facility governing body—typically the dean of the School of Medicine.

� Adverse event incidents are monitored, and serious events that may require reporting to the state are reviewed weekly; any that are sentinel events result in a root cause analysis.


Incident (Includes Near Misses)

Incident reporting system captures identified event

or near miss

Directed to Category Manager

Trend Reports developed by location Quality or Risk

Metrics & Benchmarks

Trend reports provided to Location Quality & Safety


Trend reports are forwarded to the location Executive Committee

of the Medical Staff

Trend Reports provided to Governing Body

Adverse Event

Adverse Event directed to Category Manager/

Quality & Risk*

Serious Events identifed and reviewed by weekly Quality of

Care Steering Committee

Sentinel Event/Root Cause Analysis

Metrics & Benchmarks

Trend reports provided to location Quality & Safety Committee

Trends reports are forwarded to the location Executive Committee

of the Medical Staff

Trend reports provided to Governing Body


Directed to Local Risk Manager, Claims Adjuster, OGC and OPRS

Case reviewed by facility Risk Committee for quality of care


Corrective Action is reported to Board of Regents as part of

request for settlement

Retrospective Reviews/UC Action

Exhibit 5.4 UC’s Enterprise Risk Management Approach to the Evaluation of Incidents, Events, and Claims ∗Serious events are identified and reported to location Quality of Care Steering Committee for review. This committee is multidisciplinary and includes key individuals of the Quality & Safety Committee (e.g., the chief medical officer, other physician staff members, the chief nursing officer, legal, quality, risk, and compliance).

� In addition, the medical centers measure and review data on a number of metrics from patient complaints to infection rates, patient falls, and so on.

� Hospital-level data is compared with national benchmarks, United Health- care (UHC) data, and so on.

Individual adverse events may result in claims and lawsuits:

� Risk Services manages the Third Party Claims Administrator to ensure that the claims are promptly investigated and appropriately resolved. As part of this process, Risk Services monitors the Third Party Administrator (TPA) performance against developed performance expectations.

� Risk Services in conjunction with the Office of General Counsel (OGC) and medical center risk management staff collaborate to ensure that the cases are well managed throughout the claims and litigation process. A select panel of defense attorneys is assigned cases.

� Risk Services through Legalbill monitors law firm billing compliance with university guidelines to ensure that the university benefits from a cost- efficient and cost-effective legal defense.

82 Implementing Enterprise Risk Management

� Medical Staff Risk Management Committee at each facility reviews claims and lawsuits and makes evaluations regarding the quality of care and cor- rective action that is needed internally; the committee monitors the action through to resolution by the responsible departments. The Risk Services director attends the committee meetings at the locations periodically.

� There are also facilities (allocation committees) that review settled claims and lawsuits and attribute responsibility to individual practitioners or to system issues. If individuals are identified as responsible, they are reported to the external state licensing boards. Risk Services and OGC are responsi- ble to ensure that cases are appropriately reported to both the state licensing boards and the federal National Practitioner Data Bank, and work with the locations to advise them on reporting. Both the Risk Services director and an OGC representative participate with a facility medical director to review the reporting recommendations of the local facility.

� If cases result in costs to the university, inclusive of defense and indemnity, each location has to identify the risk issues involved and the corrective action taken or planned; this action is reviewed by the Risk Services professional liability (PL) program director and the CRO; for cases of certain value, the actions are also reviewed by the senior vice president for health sciences and service.

� Additionally, the General Counsel and the Board of Regents review the cor- rective action that is reported.

� In addition, Risk Services has developed and implemented a monitoring sys- tem to ensure that corrective actions on cases costing the university more than $50,000 are tracked through resolution through the UC Action process. UC Action is a software tool that permits the capture of events, the causes of loss, and the corrective action that was implemented across the UC System. It permits the assignment of controls to ensure that loss prevention actions are implemented and monitored to avoid recurrence of identified issues. Devel- oped in conjunction with UC Davis, this tool supports the Risk Services and campus loss prevention efforts. All Risk Services program managers period- ically review and assess the actions being taken for appropriateness.

The role and activities of UC’s Risk Services in adverse event clinical audit (quality assurance) include the following:

� The Risk Services director for professional liability manages the systemwide incident report (IR) system and receives reports of certain types of events via e-mail as well as being able to evaluate trend reports.

� The Risk Services director periodically provides reports of individual events and trends to the facility chief medical directors at their systemwide meet- ings. In addition, each medical director typically brings events to discuss to these meetings so that locations can learn from each other.

� In addition to the IR system, the Risk Services director is often called by the facility risk managers and alerted to serious events. The Risk Services director also serves as a resource for questions from the facilities.

� The Risk Services PL director implemented a program to ensure that all of the university’s claims and lawsuits are coded for loss prevention and


trended. This was accomplished through using the Controlled Risk Insur- ance Company (CRICO1) Comprehensive Risk Intelligence Tool (CRIT). This program permits the university to identify the areas of greatest fre- quency and cost and the underlying contributing factors in a reliable man- ner. The university facilities have access to the system and are able to com- pare their trends against the other UC system and non-UC entities.

� The Risk Services director hosts monthly conference calls with medical cen- ter risk management staff to discuss matters of interest and loss prevention opportunities.

� Risk Services funds loss prevention activities for the medical centers and student health facilities targeted at reducing university liability. Examples include the prescription rebate program, which provided grant funds for loss prevention activities; ELM Exchange,2 which provides online risk edu- cation; EMMI Solutions information consent program, which helps ensure patient understanding of their clinical options to improve satisfaction; the Vanderbilt Patient Advocacy Reporting System (PARS) to identify and assist physicians who are outliers in terms of patient complaints; disclosure edu- cation; and operating room technology aimed at reducing retained foreign bodies.

� In addition, the senior vice president for health sciences and services collects and reviews data from multiple sources regarding hospital performance in clinical areas other than adverse clinical events.

� UC Action summary reports regarding corrective action are shared with the Regents on high-dollar-value litigated cases in the form of reports from the Office of General Counsel.

PREMIUM REBATE PROGRAM In addition to the tools developed to assess risk and report on KPIs, the Office of the President’s Office of Risk Services has developed programs to reduce the frequency and severity of loss. For the Medical and Hospital Liability Program, Risk Services developed a Premium Rebate Program in 2006–2012 that was known as the Professional Liability Prescription Program (PLPP), designed to encourage risk reduction initiatives aimed at reducing the cost of risk for the hospitals and schools of medicine. The program encouraged clinical loss prevention and patient safety and rewarded hospitals and medical groups for developing and implement- ing specific initiatives. PLPP is a good example of propagating the concept that everyone is a risk manager. It put loss control in the hands of individuals responsi- ble for the outcomes. It gave them the financial resources and incentives to make a difference. There were several parts to the PLPP (see Exhibit 5.5).

The University of California (UC) Professional Medical and Hospital Liability Program (PL) is the second largest component of UC’s cost of risk. In 2012, the Chief Risk Officer believed there was a need for more ERM focus on the university’s five medical centers and began exploring ways to make this happen.

University of California Center for Health Quality and Innovation (CHQI) had established a system to encourage initiatives designed to create a culture of improvement with the support of the CHQI board, comprised of the five academic medical center CEOs, the six deans of the Schools of Medicine, and chaired by

84 Implementing Enterprise Risk Management

Exhibit 5.5 Professional Liability Prescription Program (PLPP)

Grant Funds for Locally Developed Loss Prevention Initiative—Maximum Rebate 2 Percent of Premium

Requests for the 2 percent grant funds may be made at any time during the fiscal year; however, locations are encouraged to submit early.

Medical Center Risk Management offices are expected to coordinate the applications. Each project submitted for the grant funds must have both School of Medicine and a Medical Center approval if applicable. Multiple requests per site are permitted until the 2 percent is exhausted. Once the funding applica- tion is approved by Risk Services, the funds will be transferred to the campus account. The campus must transfer to the appropriate local code. The funds must be used for the approved project; failure to apply the funds to the project will result in recoupment of the funds by Risk Services. Projects will be moni- tored by Risk Services.

Medical Center and School Departments Allocation of Premium—Maximum Rebate 4 Percent of Premium

Allocation of premium based on loss experience and exposure is a critical underpinning of a successful loss prevention program. To qualify for this rebate, each School of Medicine and Medical Center must implement allocation to departments using the Bickmore approved methodology. Half of the pre- mium will go to School of Medicine for its allocation to departments and half will go to Medical Centers for allocation of premium among its departments.


Ensuring the location organization structure for premium allocation is current and appropriate.

Reviewing and categorizing all historical and current malpractice cases to loca- tion identified Schools and Medical Centers and then to departments and divisions within each, entering the data into the Sedgwick CMS claims sys- tem on a continuous basis.

Selecting and applying an allocation model from Bickmore recommendations to the fiscal year 2011–2012 budget.

A written report, signed by the Dean and CEO of the Medical Center attest- ing to the methodology employed and the amounts paid by the various departments, is required.

Adoption and Implementation of EMMI—Maximum Rebate 2 Percent of Premium

Qualification for this rebate will require adoption and substantial implemen- tation of EMMI by the individual locations during fiscal year 2011–2012. The


amount of the rebate will be dependent on the degree of adoption of use as measured by EMMI data.

Use of Technology to Prevent Retained Surgical Sponges—Maximum Rebate 2 Percent of Premium

Human error in the counting process is a significant cause of retained sponges. Technical solutions such as Surgicount provide a reliable method to assure a valid sponge count. Reducing retained sponges through reliable technol- ogy contributes to improved patient safety, enhances hospital reputation, and avoids regulatory and legal expenses.

the University’s Senior Vice President of Health Sciences & Services, with a small coordinating staff based at the UC Office of the President, Oakland.

ERM AND THE CENTER FOR HEALTH QUALITY AND INNOVATION In January 2013, the chief risk officer for the University of California and the executive director for the UC Center for Health Quality and Innovation (CHQI) announced a new joint venture. The new joint venture—the Center for Health Quality and Innovation Quality Enterprise Risk Management (CHQIQERM)—will award up to $8 million in grants for projects designed to reduce the risk of clinical harm to UC surgery patients in three priority areas:

1. Development of enterprise risk management (ERM) within the Schools of Medicine and medical centers. This includes projects that are aimed at clin- ical improvements involving multiple departments and divisions.

2. Projects aimed at reducing medical malpractice claims. These projects should take into consideration issues creating the highest frequency and severity of malpractice claims within the university facilities. Claims data identifying these areas of exposure will be provided. Projects will be eval- uated based on transferability and sustainability. Ability to demonstrate a return on investment will also be considered.

3. Projects aimed at improving patient safety, quality, and efficiency within the University of California medical centers.

The joint venture seeks to fund projects by UC Health faculty and staff that use an evidence-based, systems approach to minimize the risk of clinical harm to UC patients. UC’s actuary will continue to evaluate the return on investment (ROI) of the projects and include evaluation of these loss prevention efforts in its actuarial study as it has in the past.

Funding is available to UC faculty and staff intending to engage in perfor- mance improvement activities at UC-owned and UC-operated medical centers. Individual projects are capped at $250,000 per academic medical center site. A five- campus project may be awarded up to $1.25 million.

86 Implementing Enterprise Risk Management

“We’re thrilled to partner with Risk Services,” said Terry Leach, executive director of the UC Center for Health Quality and Innovation. “This collaboration will help leverage the talent of UC Health’s faculty and staff to improve patient safety at UC medical centers.”3

After an initial campus review, top-scored selections will receive a second round of review by the CHQIQERM Risk Advisory Committee in conjunction with the CHQI Operations Committee, with final selection by the CHQI board. Five-campus multisite proposals will automatically advance to receive a review by CHQIQERM.

The CHQIQERM will provide selected Project performance improvements (PIs), within three months of approval, a schedule to present their projects to var- ious multicampus groups responsible for quality improvement and/or reduction of patient harm throughout UC, including the CHQI Operations Committee, the chief medical officer (CMO) and chief nursing officer (CNO) group, the UC qual- ity officers, infection control officers, pharmacy chairs, CEOs, and so on. Presen- tations are designed to provide individuals responsible for integration of perfor- mance improvement projects throughout UC the opportunity to learn more about the funded projects, and to provide consultation for design modification, as appro- priate, to increase support and acceptance of the funded projects.

By January 1, 2014, if project funds remain or if Risk Services provides addi- tional resources, CHQIQERM will disseminate a second round of requests for pro- posals (RFPs), and will provide review and management pursuant to the previous year’s round of funding, with projects to be completed by June 30, 2015, unless a project continuation agreement has been negotiated and agreed upon by all par- ties, including the CHQI board.

PROTECTED HEALTH INFORMATION VALUE ESTIMATOR (PHIve) The chief risk officer was invited to serve on an American National Standards Insti- tute (ANSI) work group. The goal of the work group was to develop and publish a guide to bring attention to the risks associated with personal health information (PHI). When hospitals and medical centers perform risk assessments, they often fail to consider the magnitude of the disruption and reputational damage from a loss of personal health information.

Following participation in the work group, UC asked Bickmore ( to develop an electronic software tool for the Protected Health Information Value Estimator (PHIve). The methodology used in PHIve is described in greater detail with examples in the American National Standards Institute (ANSI) publication, “The Financial Impact of Breached Protected Health Information.” ANSI’s publication is available at the ANSI website.4

The PHIve applies a practical methodology for protected personal health information to calculate the potential (or actual) cost of a data breach to their organization. The purpose of this exciting new tool is to help PHI protectors understand the financial impact of a PHI breach so they can evaluate and rec- ommend the appropriate investments necessary to mitigate the risk of a data breach. This helps reduce potential financial exposure while strengthening the organization’s reputation as a protector of the PHI entrusted to its care.


The tool will not make decisions for you, but it will help you organize your thinking as you consider the enterprise risk management implications of a breach of protected health information.

The five steps in PHIve are:

1. Assess risks. Assess the risks, vulnerabilities, and applicable safeguards for each PHI

home. A PHI home is any organizational function or space (administrative, physical, or technical) and/or any application, network, database, or system (electronic) that creates, maintains, stores, transmits, or disposes of ePHI or PHI.

2. Security readiness score. Determine a security readiness score for each PHI home by determining

the likelihood of a data breach based on the security readiness score scale. 3. Determine relevance.

For each PHI home that has an unacceptable security readiness score, examine the relevance (i.e., likelihood or applicability) of a particular cost category, and apply a relevance factor from a provided hierarchy.

4. Determine potential repercussions. Relevance and consequences combined create the potential repercus-

sions of a breach. Consequences are calculated using multiple aspects of a potential breach based on a variety of considerations for your organization. Types of repercussions include reputational (loss of patients, current customers, new customers, strategic partners, or staff), financial (including costs for remediation, communication, changes to insurance, changing associates, and business distraction), legal and regulatory, operational, and clinical.

5. Total the impacts: Add up all adjusted costs to determine the total adjusted cost of a data breach to the organization.

Relevance and consequences combined create the potential repercussions of a breach. Consequences are calculated using multiple aspects of a potential breach based on a variety of considerations for your organization.

Reputational Repercussions

Reputational repercussions of a breach may include:

� Loss of patients � Loss of current customers � Loss of new customers � Loss of strategic partners � Loss of staff (separate from staff lost due to potential disciplinary action

related to a breach)

The impact of a breach may have greater reputational repercussions if it is shared through social media or other means that raise further awareness of the breach.

88 Implementing Enterprise Risk Management

The demographics of those affected by a breach also change its reputational impact. Income and age are considerations for health privacy sensitivity, among other factors.

Financial Repercussions

Financial repercussions are grouped into five segments, each of which may contain multiple types of financial costs.

1. Cost of remediation may include: � Investigation or forensic costs � Corrective action plan costs � Workforce sanction costs � Identity theft monitoring costs

2. Costs of communication may include: � Notifying affected individuals � Notifying media outlets and notifying governmental agencies � Public relations costs � Investor relations

3. Costs of changes to insurance may include: � Broker costs � Presenting and negotiating with agencies � Increased cost of coverage

4. Costs of changing associates may include: � Due diligence for new vendors � Transitions to new vendors � Increased costs of new vendors

5. Costs of business distraction may include: � Lost productivity � Opportunity costs � Diversion of resources

Legal and Regulatory Repercussions

Legal and regulatory repercussions of a breach can be grouped into four areas:

1. Costs associated with actions by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), including: � Fines and penalties � Costs of additional corrective action plans

2. State fines and penalties 3. Lawsuit costs, including:

� Legal costs � Settlement costs � Additional payments to affected individuals � Insurance deductibles

4. Costs associated with potential loss of accreditation or reinstatement of accreditation


Operational Repercussions � Incremental cost of new hires � Costs of recruiting and training new hires � Costs associated with reorganization following a breach

Clinical Repercussions � Fraudulent claims processed � Delayed or inaccurate diagnoses � Bad data in search results

Total the Impacts

Add up all adjusted costs to determine the total adjusted cost of a data breach to the organization.

The pilot PHIve tool was previewed by UC’s medical risk managers for the first time at the University of California’s 2013 Risk Summit. Bickmore is demonstrating the tool and seeking comments from the UC medical risk managers before the tool is released. The tool was demonstrated and comments were sought from the UC medical risk managers before the tool was released.

ERM and Strategy

Risk is an inherent and essential part of any organization. When properly man- aged, risk drives growth and opportunity. If enterprise risk management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization’s capital, earnings, and operations, then it only makes sense that ERM is seen as a strategic tool for management.

The past several years have been a financially challenging time for the uni- versity. Even in the face of those challenges, however, the university has made significant strides in reducing its risk exposure, thereby allowing the campuses to focus their limited dollars on the university’s mission of teaching, research, and service. ERM is seen in the university as a continuous improvement process and has been integrated into its Working Smarter initiative.5

The Office of Risk Services, as part of the CFO division, has integrated the Division Strategic Goals6 into our operations:

� Reexamine the day-to-day � Showcase our value-add � Engage with the customer � Develop our staff � Be action-oriented

The Office of Risk Services continues to reexamine the day-to-day operations, looking for innovative ways to reduce risk while improving operational efficiency. It continues to showcase the savings that are generated by implementing ERM, and

90 Implementing Enterprise Risk Management

continually engages its customers to learn how it can better meet their needs. It not only focuses on developing its staff, but encourages the professional development of those at the campuses and medical centers by providing the Risk Summit and monthly webinars. Finally, the tools and information provided by Risk Services allow campus and medical center leadership to be action-oriented and to be able to implement quickly programs that will result in immediate impacts. The guiding principle in all of the work that Risk Services does is to support the university mission of teaching, research, and public service, as well as patient care.

QUESTIONS 1. Your Medical Group wants to expand by starting a new venture, owning and operating

a pharmacy. In order to increase the success, you have been asked to perform an enter- prise risk assessment that includes reputational risk. Give three examples of how start- ing a new venture might have risk events that could lead to repercussions that would negatively impact the organizations reputation and three examples where it might be enhanced, creating opportunity.

2. Explain how improvement is measured with KPIs and give one example related to Human Capital and how this KPI might help you improve your organization.

3. In the UC example, the ERM Program gives weight to both data-driven activities and to culture-changing activities. Give two examples of each and then your own opinion regarding which activities you believe to be most effective in implementing an ERM program.

4. What do you think is the difference between traditional risk management and enterprise risk management?

5. From the UC example, identify what aspects of their program were “carrots” and which ones were “sticks.” From your own experience describe which one you think works best in creating lasting change.

NOTES 1. CRICO is the patient safety and medical liability company that serves the Harvard Uni-

versity medical community. It is a leader in evidence-based risk management. 2. Education in Legal Medicine. 3. UC Health, January 8, 2013. 4. 5. 6.

ABOUT THE CONTRIBUTOR Grace Crickette joined AAA Northern California, Nevada, and Utah (NCNU) in May 2013 as the Senior Vice President and Chief Risk and Compliance Officer. She was the former Chief Risk Officer at the University of California. In her current position, she is charged with implementing enterprise risk management (ERM) with her legal, compliance, risk management, and internal audit team. The Risk Services team provides internal audit and consultation, legal consultation, quality assurance and compliance, risk financing and captive solutions, crisis and conse- quence management, and loss prevention and loss control services. The Risk Ser- vices team’s ERM vision is to support AAA’s Membership Promise: “We will keep


you safe and secure—We will offer you the right product at the right time—We will provide you helpful and knowledgeable service—We will reward your loyalty— One Member, One AAA.”

Prior to coming to AAA NCNU, Grace served as the University of Califor- nia’s Chief Risk Officer. Major initiatives for the Risk Services department included reducing the cost of risk, implementing system and local safety programs, improv- ing claims management systems, developing risk financing strategies, and imple- menting enterprise risk management (ERM), and emergency management and business continuity planning throughout the university.

Grace joined the University of California in December 2004 after 13 years as a vice president and officer in audit, insurance, safety, and human resources capac- ities for the equipment and construction industry. She graduated with distinction from the University of Redlands with a bachelor’s degree in business administra- tion, and holds a variety of professional designations in the areas of claims, safety, audit, and human resources, including Associate in Risk Management and Senior Professional in Human Resources.

In 2008, Grace received the Risk Innovator Award for innovation and excel- lence in risk management in higher education. She received the Information Secu- rity Executive (ISE) of the Year West Award 2011 and National Award 2011 for Higher Education/Non Profit Sector for innovative problem solving related to a collaborative partnership with the University of California’s chief information offi- cer and other information technology (IT) professionals, insurance brokers, and underwriters for securing previously unavailable and much-needed cyber cover- age and at the same time developing a program that will drive improvement and best practices into the future. She also received the ISE award of the decade for Higher Education/Non Profit Sector for her overall commitment to IT security. She was chosen in 2011 as one of Business Insurance’s Women to Watch, an annual feature spotlighting 25 women who are doing outstanding work in commercial insurance, reinsurance, risk management, employee benefits, and related fields, such as law and consulting. She was also selected by Business Insurance magazine for its 2011 Risk Management Honor Roll. Also in 2011, Treasury & Risk magazine named her one of the “100 Most Influential People in Finance.” She has consulted with numerous public and private entities on the implementation of ERM, includ- ing Harvard University and SingHealth, Singapore’s largest health care group.


Strategic Risk Management at the LEGO Group Integrating Strategy and Risk Management

MARK L. FRIGO Director, Strategic Risk Management Lab, and Ledger & Quill Distinguished Professor of Strategy and Leadership, DePaul University

HANS LÆSSØE Senior Director of Strategic Risk Management, LEGO Group

How can organizations manage strategic risks in a volatile and fast-pacedbusiness environment? Many have started focusing their enterprise riskmanagement (ERM) programs on the critical strategic risks that can make or break a company. This effort is being driven by requests from boards and other stakeholders and by the realization that a systematic approach is needed and that it’s highly valuable to include strategic risk management in ERM and to integrate risk management within the fabric of an organization.

In this case1 we describe strategic risk management at the LEGO Group, which is based on an initiative started in late 2006 and led by Hans Læssøe, senior direc- tor of strategic risk management at LEGO System A/S. It’s also part of the con- tinuing work of the Strategic Risk Management Lab at DePaul University, which is identifying and developing leading practices in integrating risk management with strategy development and strategy execution. This descriptive case provides a great example of integrating risk management into the strategy development and strategy execution.

ABOUT THE LEGO GROUP Headquartered in Billund, Denmark, the family owned LEGO Group has 12,500 employees worldwide and is the second-largest toy manufacturer in the world in terms of sales. Its portfolio, which focuses on LEGO bricks, includes 25 product lines sold in more than 130 countries. The name of the company is an abbreviation of the two Danish words leg godt that mean “play well.” The LEGO Group began in 1932 in Denmark, when Ole Kirk Kristiansen founded a small factory for making


94 Implementing Enterprise Risk Management

wooden toys. Fifteen years later, he discovered that plastic was the ideal material for toy production and bought the first injection molding machine in Denmark.

In 1949, the brick adventure started. Over the years, the LEGO Group per- fected the brick, which is still the basis of the entire game and building system. Though there have been small adjustments in shape, color, and design from time to time, today’s LEGO bricks still fit bricks from 1958. The 2,400 different LEGO brick shapes are produced in plants in Denmark, the Czech Republic, Hungary, and Mexico with the greatest of precision and subjected to constant controls. There are more than 900 million different ways of combining six eight-stud bricks of the same color.

THE LEGO GROUP STRATEGY To understand strategic risk management at the LEGO Group, you need to under- stand the company’s strategy. This is consistent with the first step in developing strategic risk management in an organization: to understand the business strategy and the related risks as described in the strategic risk assessment process.2

The LEGO Group’s mission is “Inspire and develop the builders of tomorrow.” Its vision is “Inventing the future of play.” To help accomplish them, the company uses a growth strategy and an innovation strategy.

� Growth strategy. The LEGO Group has chosen a strategy that’s based on a number of growth drivers. One is to increase its market share in the United States. Many Americans may think they buy a lot of LEGO products, but they buy only about a third of what Germans buy, for example. Thus there are potential growth opportunities in the U.S. market.

The LEGO Group also wants to increase market share in Eastern Europe, where the toy market is growing very rapidly. In addition, it wants to invest in emerging markets, but cautiously. The toy industry isn’t the first one to move into new, emerging markets, so the LEGO Group will invest at appropriate levels and be ready for when those markets do move. It will also expand direct-to-consumer activities (sales through LEGO-owned retail stores), online sales, and online activities (such as online games for children).

� Innovation strategy. On the product side, the LEGO Group focuses on creat- ing innovative new products from concepts developed under the title “Obvi- ously LEGO, never seen before.” The company plans to come up with such concepts every two to three years. One of the latest examples is LEGO Games System, which consists of family board games (a new way of playing with LEGO bricks) with a LEGO attitude of changeability (obviously LEGO). The company also intends to expand LEGO Education, its division that works with schools and kindergartens. And it will develop its digital business as the difference between the physical world and the digital world becomes more and more blurred and less and less relevant for children.

Now let’s look at the development of LEGO strategic risk management.



Preparing for Uncertainty

3 1

Enterprise Risk Management


Monte Carlo Simulations

Active Risk & Opportunity

Planning (AROP)

Exhibit 6.1 Four Elements of Risk Management at the LEGO Group

LEGO STRATEGIC RISK MANAGEMENT The LEGO Group developed risk management in four steps (numbered in the order in which the steps were initiated) as shown in Exhibit 6.1:

� Step 1. Enterprise risk management was traditional ERM in which financial, operational, hazard, and other risks were later supplemented by explicit handling of strategic risks.

� Step 2. Monte Carlo simulations were added in 2008 to understand the finan- cial performance volatility (which proved to be significant) and the drivers behind it to integrate risk management into the budgeting and reporting processes. During the past two years the use of Monte Carlo simulations was refined, as described later in this chapter.

Those two steps were seen mostly as damage control. To get ahead of the deci- sion process and have risk awareness impact future decisions as well, LEGO risk management added:

� Step 3. Active risk and opportunity planning (AROP), where business projects go through a systematic risk and opportunity process as part of preparing the business case before final decisions about the projects are made.

� Step 4. Preparing for uncertainty, where management tries to ensure that long- term strategies are relevant for and resilient to future changes that may very well differ from those planned for. Scenarios help them envision a set of different yet plausible futures to test the strategy for resilience and relevance.

These last two steps were designed to move upstream—or get involved earlier in strategy development and the strategic planning and implementation process.

Strategic Risk Management Lab Commentary

This four-step approach is a good illustration of how organizations can develop their risk management capabilities and processes in incremental steps. It represents an example of how to evolve beyond traditional ERM and integrate risk manage- ment into the strategic decision making of an organization. This approach positions risk management as a value-creating element of the strategic decision-making pro- cess and the strategy-execution process.

In our research on high-performing companies, we’ve found that the LEGO Group, like those companies, achieves sustainable high performance and creates

96 Implementing Enterprise Risk Management

stakeholder value by consistently executing the strategic activities in the Return- Driven Strategy framework (for example, the focus on innovating its offerings toward changing customer needs) while co-creating value through its engagement platforms—that is, the online community, including its My LEGO Network, which engages more than 400 million people and helps its product development process; see Venkat Ramaswamy and Francis Gouillart, The Power of Co-Creation (Free Press 2010). Its strategic risk management processes incorporate distinct elements of co- creation by engaging its employees (internal stakeholders) throughout the strate- gic decision-making, planning, and execution processes, as well as engaging exter- nal stakeholders (suppliers, partners, customers). The LEGO Group’s approach is a good example of how an organization can engage stakeholders in co-creating strategic risk/return management (see Mark L. Frigo and Venkat Ramaswamy, “Co-Creating Strategic Risk-Return Management,” Strategic Finance, May 2009).3

ENTERPRISE RISK MANAGEMENT (STEP 1) The evolution of ERM toward strategic risk management is represented in Exhibit 6.2. Strategic risk was missing from the ERM portfolio until 2006.

To fix this, based on his then 25 years of LEGO experience and a request from the CFO, Hans Læssøe started looking at strategic risk management. “I was a cor- porate strategic controller who had never heard the term until then,” he says. The company had embedded risk management in its processes. Operational risk—minor disruptions—was handled by planning and production. Employee health and safety was OHSAS 18001 certified. Hazards were managed through explicit insurance pro- grams in close collaboration with the company’s partners (insurance companies and brokers). Information technology (IT) security risk was a defined functional area. Financial risk covered currencies and energy hedging as well as credit risks. And legal was actively pursuing trademark violations as well as document and contract management. But strategic risks weren’t handled explicitly or systematically, so the CFO charged Hans with ensuring they would be from then on. This became a full- time position in 2007, and Hans added one employee in 2009 and another in 2011.

Employee Safety



IT Security



Strategic (added



Exhibit 6.2 The LEGO ERM Umbrella: Adding Strategic Risk


Strategic Risk Management Lab Commentary

The 2006 situation is common. Even though strategic risks need to be integrated with risk management, many organizations don’t explicitly assess and manage strategic risks within strategic decision-making processes and strategy execution. A recent study by the Corporate Executive Board found that strategic risks have the greatest negative impact on enterprise value: “strategic risk caused 68 per- cent of severe market capitalization declines.”4 But the LEGO Group’s approach shows how strategic risk management can be a key to increasing the value of ERM within an organization. It also shows how executive leadership from the CFO played an important role in the evolution of ERM as a valuable management process. Finally, Hans came from the business side and had the attributes neces- sary to lead the initiative: broad knowledge of the business and its core strategies, strong relationships with directors and executive management, strong commu- nication and facilitation skills, knowledge of the organization’s risks, and broad acceptance and credibility across the organization. (For more, see Mark L. Frigo and Richard J. Anderson, Embracing ERM: Practical Approaches for Getting Started, at, p. 4.)

Also, the risk owner concept at LEGO provides a good example of the impor- tance of understanding who owns the risks as well as defining the role of risk man- agement in the organization. The idea of “risk owners” was important to ensure action and accountability. Hans’s charge was to develop strategic risk management and make sure the LEGO Group had processes and capabilities in place to do this. But as senior director of strategic risk management, Hans doesn’t own the risk. He can’t own the risk, because this essentially would mean he would own the strategy, and each line of business owns the pertinent strategic risks. Hans trains, leads, and drives line management to apply a systematic process to deal with risk. The mis- sion of Hans’s strategic risk management team is to “drive conscious choices.” This is just like budgeting functions: They don’t earn the money or spend the money, but they support management to deliver on the budget or compare performance against the budget.

MONTE CARLO SIMULATION (STEP 2) In 2008, Hans introduced Monte Carlo simulation into the process. A mathemati- cian by education (MSc in engineering), he started defining how Monte Carlo simulation could be used in risk management. Now it’s being used for three areas:

1. Budget simulation. The business controllers were asked for their input about volatility, which is combined with analyses based on past performance of budget accuracy. Managers said this helped them understand the financial volatility, so it was part of the financial and budget reporting in 2012. In fact, the first analyses directed top management’s attention to a sales volatility that was known but that proved to be much more significant than every- one intuitively believed. During the past two years, this approach has been refined as described by Hans: “We actually stopped this. It was found that

98 Implementing Enterprise Risk Management

the volatility of the business is so significant that we have stopped budget- ing altogether, as the process took a lot of effort—too little value as con- ditions changed. Today (2014) we use an estimate process where a small team of lead controllers defines a preliminary estimate for board of direc- tors discussions. In March (each year) we do a detailed estimate on which we base KPIs, targets, bonus criteria, et cetera. Monthly, we then update the estimate, and hence our financial planning process is more dynamic . . . and we do not need the budget simulation anymore.”

2. Credit risk portfolio. The LEGO Group uses a similar approach to look at its credit risk portfolio so it can have a more professional conversation with a credit risk insurance partner.

3. Consolidation of risk exposure. You could multiply the probability and impact of each risk and add the whole thing up. Risk management isn’t about aver- ages (if it were, no one would take out an insurance policy on anything). With a Monte Carlo simulation, the LEGO Group can calculate the 3 percent worst-case loss compared to budget and use that to define risk appetite and risk report exposure vis-à-vis this risk appetite, as shown in Exhibit 6.3.

Risk Tolerance

As a privately held company, the LEGO Group can’t look at stock values, so it looks at the amount of earnings the company is likely to lose compared to budget if the worst-case combined scenarios happen. Not all risks will materialize in any one year, because some of them are mutually exclusive; but a huge number may happen in any one year, as we have seen during the global financial crisis. Hans

Company Risk Exposure (Gross and Net)

Net EaR

Gross EaR

Effect of mitigation

3% of simulations

Exhibit 6.3 Monte Carlo Simulations and Risk Appetite at the LEGO Group


computes a net earnings at risk (EaR), and corporate management and later the board of directors use that net earnings at risk to define their risk tolerance. They have said that the 3 percent worst-case loss may not exceed a certain percentage of the planned earnings (the percentage is not 100). That guides management toward understanding and sizing the risk exposure. This process has helped the LEGO Group take more risks and be more aggressive than it otherwise would have dared to be, and to grow faster than it otherwise could have done.

Strategic Risk Management Lab Commentary

Risk tolerance is a difficult area for organizations to address. The approach used at the LEGO Group provides a good example of deriving risk tolerance (the term LEGO uses rather than risk appetite) in an actionable and systematic way. It also shows an approach that fosters intelligent risk taking and that avoids being too risk averse while maintaining discipline on the amount of risk undertaken. Hans has actually had cases where he recommended taking on more risks to meet elusive targets. He uses an analogy to communicate the idea of taking risks and not being too risk averse: “I used the (very normal) traffic picture . . . ‘Guys, you are getting late for the party, yet you are still cruising at 40 mph on the highway. Why not speed up to the 70 mph you are allowed to drive—if that will more likely take you to the party in time?’”

What we’ve discussed so far is more or less damage control because it’s about managing risks already taken by approving strategies and initiating busi- ness projects. Hans decided he wanted to move beyond damage control and be more proactive so he could create real value as a risk manager. He came up with a process he calls active risk and opportunity planning (AROP) for business projects.

AROP: ACTIVE RISK ASSESSMENT OF BUSINESS PROJECTS (STEP 3) When the LEGO organization implements business projects of a defined minimum size or level of complexity, it’s mandatory that the business case includes an explicit definition and method of handling both risks and opportunities. Hans says that the LEGO Group has created a supporting tool (a spreadsheet) with which to do this, and it differs from the former approach to project risk management in several areas. Hans has the following to say on each:

� Identification, “where we call upon more stakeholders, look at opportunities as well as risks, and look at risks both to the project and from the project (i.e., potential project impact on the entire business system).”

� Assessment, “where we define explicit scales and agree what ‘high’ means to avoid different people agreeing on an impact being high without having a shared understanding of the exposure.”

� Handling, “where we systematically assign risk owners to ensure action and accountability and include the use of early warning indicators, where these are relevant.”

100 Implementing Enterprise Risk Management

� Reassessment, “where we explicitly define the net risk exposure to ensure that we have an exposure we know we can accept, the reason being that we have seen people ignore this step, and hence do too much or too little to a particular risk; here, we ask them to deliberately address whether or not they can and will accept the residual risk—and know what it is they accept. From time to time we see the individual risks being accepted, but then, when we do the Monte Carlo simulation on the project (yes, we use it here as well), we see that the likelihood of meeting the target is still too low—and more risk mitigation or opportunity pursuit is called for and included in the project.”

� Follow-up, “where we keep the risk portfolio of the project updated for gate and milestone sessions.”

� Reporting, “which is done automatically and fully standardized based on the data.”

Common Language and Common Framework

The most important point is that the people who address and work with risks get a systematic approach so they can use the same approach from Project A for Project B. The one element that project managers really like is having the data in a database. They don’t receive just a spreadsheet model. Data are entered into the spreadsheet as a database, and all the required reporting on risk management is collected from that data, so project managers don’t have to develop a report—they can just cut and paste from one of the three reporting sheets that are embedded in the tool. All the reports are standardized. That’s good for the project managers, but it’s also good for the people on the steering committees because they now receive a standardized report on risks. They don’t have a change between layouts of probability/impact risk maps or somebody comes up with severity or whatever from project to project. Everyone has the same kind of formula, the same way of doing it.

Strategic Risk Management Lab Commentary

The AROP process is a great example of integrating risk assessment in terms of upside and downside risks in the strategic decision-making process. This balanced approach to strategic risk management allows organizations to create more stake- holder value while intelligently managing risk.

PREPARING FOR UNCERTAINTY: DEFINING AND TESTING STRATEGIES (STEP 4) To get further ahead in the decision process, the LEGO Group has added a system- atic approach to defining and testing strategies. As Hans notes, “We are going one step further upstream in the decision process with what we call ‘Prepare for Uncer- tainty.’ This is a strategy process, and we’re looking at the trends of the world. The industry is moving; the world is moving quite rapidly. I just saw a presentation that indicated that the changes the world will see between 2010 and 2020 will be somewhere between 10 and 80 times the changes the world saw in the twentieth century, compressed into a decade.”


He offers the following story to illustrate the forces of change the company is facing: “My seven-year-old granddaughter came to me and asked, ‘Granddad, why do you have a wire on your phone?’ She didn’t understand that. She’d never seen a wire on a phone before. We need to address that level of change and do it proactively.”

Four Strategic Scenarios

A group of insightful staff people (Hans and a few from the Consumer Insight function) defined a set of four strategic scenarios based on the well-documented megatrends defined by the World Economic Forum in 2008 for the Davos meetings. Hans commented:

“We presented and discussed these with senior management in 2009, prior to their definition of 2015 strategies, to support that they would look at the poten- tial world of 2015 when defining strategies and not just extrapolate present-day conditions.

“Having done that, we then prepared to revisit each key strategy vis-à-vis all four scenarios to identify issues (i.e., risks and opportunities) for that particular strategy if the world looks like this particular scenario.

“This list of issues is then addressed via a PAPA model whereby a strategic response is defined and embedded in the strategy.

“This way, we believe that we have reasonably ensured our strategies will be relevant if/when the world changes in other ways than we originally planned for.”

During the past two years, LEGO refined the process and used it actively, the reason being that the original scenarios did in fact not lead to much explicit action. Today a scenario session is a five-hour workshop where participants focus on one particular strategy (e.g., market entry in China). The workshop is with the man- agement team that owns the strategy and its implementation.

� The first hour they discuss and agree on two key drivers of uncertainty to their strategy (the axes of the 2 × 2 scenarios). Hans’s team comes with a battery of potential drivers—and they (after some discussion) end up with two—leading to four quadrants of a 2 × 2 matrix.

� The next two hours the team describes the four quadrants one at a time. First, they individually use Post-it notes to write down descriptive elements or key success factors for the scenario (the Post-it session is to avoid groupthink). Then they share their descriptions and discuss their way into a reasonably consistent image of that scenario, before they move on to the next.

� The fourth hour is used to define strategic issues—again Post-it notes and sharing. Here they are diligently coached to be aware that any issue may be an opportunity (if they choose to pursue this in time). If they do not pursue this, it may become a risk, and if they still don’t do anything and the risk materializes, it becomes a problem. The sharing process includes a prioriti- zation discussion in LEGO’s PAPA model (see later in this chapter).

� The last hour focuses first and foremost on actions to be taken. The team discusses and agrees on explicitly “who is doing what by when” to ensure action on the issues that the team members have themselves decided are important, likely, and fast moving.

102 Implementing Enterprise Risk Management

The role of Hans’s team is to coach the process, including asking provocative questions and ensuring that team members get out of their comfort zone (where the real world is). The process is mandatory for business planning and strategy definition, and in 2013 Hans’s team was involved with doing 25 of these workshop sessions as the company business plans were to be updated. Subsequently it was documented that 75 percent of these business plans had taken on explicit actions on issues they had not seen prior to the session—hence the value.

Hans explains, “Once we have decided on the strategy and defined what we’re going to do, we test the strategy for resilience. We very simply take that particular strategy and, together with the strategy owner, discuss: If this scenario happens, what will happen to the strategy? Some of these issues will be highly probable, and some of them will be less probable. Some of them will happen very fast; some others will happen very slowly. This is where the PAPA model comes in.”

THE PAPA MODEL When looking at the issues inspired by the scenarios, the LEGO Group uses what it calls a Park, Adapt, Prepare, Act (PAPA) model, as shown in Exhibit 6.4. Hans explains:

� Park: “The slow things that have a low probability of happening, we park. We do not forget about them.”

� Adapt: “The slow things that we know will happen or are highly likely to happen, we adapt to those trends. In our case, this is a lot around demo- graphics. We know children’s play is changing, we know demographics are changing, and we know the buying power between the different realms or the different parts of the world is changing. Although we know chil- dren’s play is changing, we also know it does not happen fast. So we adjust, systematically monitoring what direction it’s moving in and following that trend.”

� Prepare: “The things that have a low probability of happening, but, if they do, they materialize fast, we need to be prepared for this. In fact, this is where

Overall Strategic Response



Low Likelihood

S lo

w F

as t

S pe

ed o

f C ha

ng e




Exhibit 6.4 LEGO’s PAPA Model


we identify most of the risks that we need to put into our ERM risk database, make sure that we have contingency plans for them, and apply early warn- ings and whatever mitigation we can put in place to make sure that we can cover these should they materialize, but they are not expected to.”

� Act: “Finally, we have the high-probability and fast-moving things that we need to act on now in order to make sure the strategy will be relevant. In our case, anything that has to do with the concept of connectivity (i.e., mobile phones, Internet, that world)—if we can see it, we move on it. We know that it is changing so fast, and it’s changing the way kids play. It’s changing their concepts and their view of the world.”

Hans concludes, “This way, we have a kind of model of what we do, because we shouldn’t, of course, be betting on every horse in the race. That’s not profitable, and it isn’t even doable.”

Strategic Risk Management Lab Commentary

One of the challenges of risk management is to find ways to prioritize risks that make business sense. The PAPA model provides a good example of a framework that can prioritize risks and set the stage for the appropriate actions. Our research on high-performance companies (see Mark L. Frigo, “Return Driven: Lessons from High Performance Companies,” and the book Driven: Business Strategy, Human Actions, and the Creation of Wealth by Mark L. Frigo and Joel Litman) found that companies that demonstrate sustainable high performance exhibit a “vigilance to forces of change” that allows them to manage the threats and opportunities in the uncertainties and changes better than other companies do.5 The approach used at LEGO is a great example of embedding this vigilance to forces of change in its strat- egy development and strategy execution processes. The scenario analysis approach used at LEGO provides an engagement platform for engaging stakeholders in the risk management process.6

STATEGIC RISK MANAGEMENT RETURN ON INVESTMENT A great deal has happened in the LEGO Group’s approach to risk management based on strong support from top management (always needed to develop pro- cesses and methodologies) and a strong focus. They have demonstrated value from the efforts they’ve made. They also have explicitly embedded risk management in most of the key planning processes used to run the company:

� The Strategic Scenarios used in business planning � The LEGO Development Process—includes Monte Carlo simulation of over-

all project risk/opportunity exposure � The Customer Business Planning Process—AROP in collaboration � The Sales and Operations Planning Process—tactical scenarios � The Performance Management Process—bonuses based on results, not


104 Implementing Enterprise Risk Management

“All of this has worked,” Hans says. “Based on actual data, we have had a 20 percent average growth from the period between 2006 and 2010 in a market that barely grows 2 percent and 3 percent a year. It has continued so 2006 to 2012 has a cumulative annual growth rate of 20 percent, leading to a tripling of the size of the company based on official public data. Beyond that, our profitability has developed quite significantly as well. We’ve grown from a 17 percent return on sales in 2006 to 34 percent return on sales in 2012. And it goes beyond that. If you go back a couple more years, in 2004 we were in dire straits and had a negative return on sales of 15 percent. We changed a number of strategies.

“Risk management is not the driver of these changes,” Hans continues. “I’m not even sure it’s a big part. But it’s one part. It’s a part that has allowed us to take bigger risks and make bigger investments than we otherwise would have seen. The Monte Carlo simulation has shown us what the uncertainty is and was a key element of changing the financial planning process to a more dynamic estimation approach. The risk tolerance has shown us how much risk we are prepared to take, between the board of directors and the corporate management team. This has meant that we have been prepared to make bigger supply chain investments than we otherwise would have done and have been able to achieve bigger growth than we ever imagined we could have.”

Strategic Risk Management Lab Commentary

The development of strategic risk management at the LEGO Group provides a great example of how organizations can develop their ERM programs to incorpo- rate strategic risk and make strategic risk management a discipline and core com- petency within. One of the key elements was integration. During discussions with LEGO management, when Hans was asked about the ongoing development of risk management at the LEGO Group, he replied that it was “naturally integrated.” It is this integration of risk management in strategy and strategy execution, and the integration of strategy in risk management, that can elevate the value of ERM in an organization.

CONCLUSION We want to emphasize that risk management is not about risk aversion. If, or rather when, you want or need to take bigger chances than your competitors— and get away with it (succeed)—you need to be better prepared. The fastest race cars in the world have the best brakes and the best steering to enable them to be driven faster, not slower. Risk management should enable organizations to take the risks necessary to grow and create value. To quote racing legend Mario Andretti: “If everything’s under control, you’re going too slow.” The approach and philoso- phy described in this case are reflected in the mission of the strategic risk manage- ment team at the LEGO Group to “drive conscious choices.”

QUESTIONS 1. What are the advantages of integrating ERM with strategy and strategy execution as

described in this case?


2. How does scenario analysis as described in this case help an organization to prepare for uncertainties?

3. What are the advantages of using the PAPA model to categorize risks? 4. How would you describe the “Strategic Risk Management Return on Investment” at

LEGO? 5. The mission of the strategic risk management team is to “Drive conscious choice.” How

does the Active Risk and Opportunity Planning (AROP) element of strategic risk man- agement at LEGO help to drive conscious choice?

NOTES 1. This chapter was adapted from Mark L. Frigo and Hans Læssøe, "Strategic Risk Man-

agement at the LEGO Group," Strategic Finance (February 2012) with the permission of Strategic Finance and the Institute of Management Accountants. An earlier version of this case was presented at the Risk and Insurance Management Society (RIMS) Conference, where Mark and Hans serve as members of the RIMS Strategic Risk Management Devel- opment Council.

2. M. L. Frigo and R. J. Anderson, “Strategic Risk Assessment: A First Step for Improving Governance and Risk Management,” Strategic Finance 12 (2009), 25–35.

3. Also see Hans Læssøe, Venkat Ramaswamy, and Mark L. Frigo, "Strategic Risk Manage- ment in the Co-Creative Enterprise," Working Paper, Strategic Risk Management Lab, DePaul University, 2014.

4. See “Using ERM to Improve Strategic Decisions,” CEB Risk Management Leadership Council, Corporate Executive Board, 2013.

5. Also see Mark L. Frigo, Driven Strategy: Creating and Sustaining Superior Performance (Palo Alto, CA: Stanford University Press, forthcoming 2015).

6. A. Mikes and D. Hamel, “The LEGO Group: Envisioning Risks in Asia,” Harvard Busi- ness School Case 113-054, November 2012.

REFERENCES Frigo, M. L. 2008. “Return Driven: Lessons from High Performance Companies.” Strategic

Finance 7, 24–30. Frigo, Mark L. 2015. Driven Strategy: Creating and Sustaining Superior Performance. Palo Alto,

CA: Stanford University Press, forthcoming. Frigo, M. L., and R. J. Anderson. 2009. “Strategic Risk Assessment: A First Step for Improving

Governance and Risk Management.” Strategic Finance 12, 25–35. Frigo, M. L., and R. J. Anderson. 2011. “Embracing ERM: Practical Approaches for Getting

Started.” Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Frigo, Mark L., and Mark Beasley. 2010. “ERM and Its Role in Strategic Planning and Strat- egy Execution.” In John Fraser and Betty J. Simkins, eds. Enterprise Risk Management. Hoboken, NJ: John Wiley & Sons.

Frigo, Mark L., and Hans Læssøe. 2012. “Strategic Risk Management at the LEGO Group.” Strategic Finance 2, 27–35.

Frigo, Mark L., and Joel Litman. 2007. Driven: Business Strategy, Human Actions, and the Cre- ation of Wealth. Chicago: Strategy & Execution, LLC.

Frigo, M. L., and V. Ramaswamy. 2009. “Co-Creating Strategic Risk-Return Management.” Strategic Finance 5, 25–33.

106 Implementing Enterprise Risk Management

Læssøe, Hans, Venkat Ramaswamy, and Mark L. Frigo. 2014. “Strategic Risk Management in the Co-Creative Enterprise.” Working Paper, Strategic Risk Management Lab, DePaul University.

Mikes, A., and D. Hamel. 2012. “The LEGO Group: Envisioning Risks in Asia.” Harvard Business School Case 113-054, November.

Ramaswamy, V., and F. Gouillart. 2010. The Power of Co-Creation. New York: Free Press. Ramaswamy, V., and K. Ozcan. 2014. The Co-Creation Paradigm. Palo Alto, CA: Stanford

University Press, forthcoming.

ABOUT THE CONTRIBUTORS Mark L. Frigo, PhD, CMA, CPA, is director of the Center for Strategy, Execu- tion and Valuation and the Strategic Risk Management Lab in the Kellstadt Grad- uate School of Business at DePaul University in Chicago. He is Ledger & Quill Alumni Foundation Distinguished Professor of Strategy and Leadership in the Driehaus College of Business at DePaul. The author of seven books and more than 100 articles, his work is published in leading journals, including the Harvard Business Review. Dr. Frigo is coauthor (with Joel Litman) of the book Driven: Busi- ness Strategy, Human Actions, and the Creation of Wealth, coauthor (with Richard J. Anderson) of the book Strategic Risk Management: A Primer for Directors and Man- agement Teams, and author of a forthcoming book, Driven Strategy, from Stanford University Press. His research and thought leadership on strategic risk manage- ment and ERM have been published by Harvard Business Press, the Conference Board, Committee of Sponsoring Organizations of the Treadway Commission (COSO), American Accounting Association, Financial Executives International, American Institute of Certified Public Accountants, Institute of Interal Auditors, Institute of Chartered Accountants in England and Wales, Chartered Institute of Management Accountants, Institute of Management Accountants, Risk and Insur- ance Management Society, and other leading organizations, and he has presented keynote presentations and executive workshops on strategic risk management throughout North America, Europe, and the Asia-Pacific region. He is a member of the RIMS Strategic Risk Management Development Council. Dr. Frigo is an adviser to executive teams and boards of directors in the area of strategic risk management.

Hans Læssøe, MSc, is the LEGO Group head of and senior director on strategic risk management, a function he established in 2006 and 2007. He has more than 30 years of LEGO Group experience from a number of areas, which provides him with strong business insight and a network to drive the task of proactive strate- gic risk management. He is a founding member of a Danish ERM network, an executive member of the European Council of Risk Management, and a specialist member of the Institute of Risk Management (IRM). He is a member of the RIMS Strategic Risk Management Development Council. The LEGO Group and Læssøe have won multiple European awards for their unique risk management approach. Læssøe is the author or coauthor of articles in international magazines, and speaks at international risk management conferences.


Turning the Organizational Pyramid Upside Down Ten Years of Evolution in Enterprise Risk Management at United Grain Growers

JOHN BUGALLA Managing Principal, ermINSIGHTS

Strategy without tactics is the path to uncertain success; tactics without strategy is the noise before defeat.

—Sun Tzu (c. 544–496 B.C.)

Few companies stand out as successful pioneers in enterprise risk manage-ment (ERM), especially one that undertook the initiative almost 15 yearsago. One such ERM pioneer was United Grain Growers (UGG), a conserva- tive 100-year-old Winnipeg, Canada–based grain handler and distributor of farm supplies. When UGG announced that it had implemented a new integrated risk- financing program in 1999, it received a great deal of attention in the financial press. CFO magazine hailed the UGG program as “the deal of the decade.”1 The Economist characterized it as a “revolutionary advance in corporate finance.”2 Harvard cre- ated a UGG case study.3 While most outside attention focused on the direct finan- cial benefits of implementing the program (protection of cash flow, the reduced risk capital required, and a 20 percent increase in stock price)4, scant attention was given to the less tangible and therefore less measurable issues of governance, lead- ership, and corporate culture—the conditions that enabled such innovation. It was a combination of a collaborative leadership open to new ideas, a culture of con- trolled risk taking, and active risk oversight by the board that produced a strategic approach to UGG’s risk management process. A combination of the same cultural factors had already contributed to the 1993 transformation of UGG from a coop- erative structure to a publicly traded company with access to the capital markets. UGG’s chief executive officer (CEO) had two key strategic objectives: (1) from day one of his tenure, a razor-sharp focus on improving the financial performance of the company to better serve customers and shareholders, and (2) as financial per- formance improved, to change the risk profile of the company to attract long-term shareholders versus short-term stock speculators.


108 Implementing Enterprise Risk Management

Implementing the integrated risk program that reduced earnings volatility helped to change the risk profile of the company. However, the strategic goals of UGG went deeper than an integrated risk program. Over the next several years, financial performance continued to improve. New value was created by implementing a unique credit financing business (UGG Financial), in partner- ship with the Bank of Nova Scotia (ScotiaBank). This was followed by merging/ acquiring the business of rival Agricore Cooperative in 2001, creating Agricore United (AU). The final act of value creation was extracting a high premium for AU’s stock in 2007 from several bidders that wanted to acquire the company.

BACKGROUND—OPERATING ENVIRONMENT The grain business is capital intensive and inherently risky in terms of supply, commodity prices, currency exchange rates, Canadian government regulation of the industry, and, from time to time, the current political climate existing with key customers. Weather is obviously a major risk, and it determines local and over- all supply. Grain production in the Canadian prairies covers tens of thousands of square miles of Manitoba, Saskatchewan, and Alberta, and stretches into the Peace River district of British Columbia. The success or failure for the entire crop year, for the farmer-growers, grain handlers like UGG, and road and rail trans- porters, is determined by the amount of rainfall in April and May. Not enough rain in those key months translates into a drought-reduced harvest. Added com- plexity was demonstrated by an analysis of a century of rainfall data that revealed that weather events thought to occur every 100 years actually occur every nine to 11 years. However, UGG was a grain handler, not a crop grower. The threat to UGG was related to the volume of grain that it would process, much of it at a fixed price established by the Canadian Wheat Board (CWB).5 UGG had an established aver- age market share of 15 percent. UGG (and its competitors) would be allocated rail cars by the Canadian Wheat Board that were almost entirely determined by its mar- ket share in the preceding year, no matter how large or small the crop. There was, therefore, little opportunity to gain (or lose) grain handling market share. Con- sequently, it was overall grain production volume risk that drove revenues and profits.6

Grain is a commodity traded on global exchanges. The price of grain, such as wheat, like any other commodity, is driven by supply and demand. While local weather conditions impact Canada’s grain-producing provinces, supply and demand are also impacted by global7 weather conditions. Political risk is another factor in the supply-and-demand chain, as Canada is a major grain exporter. A grain embargo placed on a major customer nation is a critical threat. It has been said that wheat is 15 percent protein and 85 percent politics.

Canadian grain (wheat, barley, oilseeds, and pulse crops)8 is harvested in the fall. The average Canadian harvest is over 60 million tons. The farmers harvest the grain and then transport it to the storage elevators operated by UGG and its com- petitors. The primary grain elevators are located on railroad sidings in farming communities that enable the railroad to collect the grain in special hopper cars and transport it to the two main grain terminal ports at Thunder Bay on Lake Superior for shipments going east, and Vancouver for shipments going west. As a result of almost 100 years of railroad regulation and transportation subsidies,


Western Canada was dotted with smaller wooden grain elevators, most of which could accommodate only short trains. The business was inefficient. By the 1990s the grain business was in transition. Deregulation of the railroads and the removal of transportation subsidies provided the railroad companies with the incentive to eliminate uneconomic branch lines. This, in turn, required that the smaller wooden elevators that dotted Western Canada would have to be replaced by giant modern elevators able to accommodate 100 or more grain railcars. The railroads were driv- ing cost inefficiencies out of the system. This imposed a massive increase in cap- ital requirements on UGG (and its competitors) as it embarked on an infrastruc- ture rebuilding program—replacing its multitude of old wooden elevators with large, high-throughput, concrete ones capable of loading the multiple carloads demanded by railroad rationalization—reducing grain handling costs per metric ton, but adding new fixed costs.

Adding to the financial pressure of investing in grain handling infrastruc- ture replacement, working capital requirements were also increasing rapidly. Dur- ing the 1990s, the western Canadian grain handling companies responded to the increasing demand for crop inputs (seed, fertilizer, herbicides, and pesticides) by aggressively investing in the farm retail business. Farm retail sales showed dra- matic growth as biotechnology delivered new products and genetics that promised to increase and protect crop yields. This substantially increased the amount of retail credit extended to farm customers.

GOVERNANCE The financial scandals of the mid-1990s, such as Barings Bank and Orange County, were just as troubling then as the recent decade’s risk management mistakes, mis- deeds, and failures are to today’s regulators and investors. The financial culprit then was the emerging issue of financial derivatives rather than the residential mortgage-backed securities that wreaked havoc on the global financial markets in 2008–2009. The scandals of the 1990s had the effect of sensitizing legislators, reg- ulators, and investor advocates to start asking organizations questions about how publicly traded companies manage the inherent risks of their business. From these concerns were born a number of guidelines and standards in many parts of the world that, in general, allocated accountability to directors, officers, and organiza- tional management to effectively manage their risks. One example, corporate gov- ernance guidelines produced by the Toronto Stock Exchange (TSX), set out five general responsibilities of directors in Canada. In addition to strategic planning, succession planning, communication policy, and internal control/management systems, directors were given responsibility for “the identification of the principal risks of the corporation’s business and ensuring the implementation of appropriate systems to manage those risks.”9

For a company historically sensitized to managing substantial business risks, particularly grain price volatility,10 the TSX guidelines immediately struck a chord. The board of directors of UGG therefore mandated the chief executive officer to form a Risk Management Committee, establish a formal risk management policy, develop corporate-wide risk management processes, and report to the Audit Com- mittee of the board of directors on a quarterly basis. The board of UGG created a platform for the adoption of ERM and a strategic approach to risk management.

110 Implementing Enterprise Risk Management

UGG already had a solid platform on which to build its approach to ERM. Risk management was a process that was well ingrained at UGG, and had been since the 1970s. The organization had a risk management policy, applied risk manage- ment processes via inspections (identification and evaluation) as required under its corporate insurance programs, and had developed internal loss prevention pro- grams (environment, safety, and loss control); but, unlike many other organiza- tions at the time, UGG also applied a risk measurement metric to its risk manage- ment initiatives by tracking its “cost of risk” (net risk retention costs + risk transfer costs + risk-related administrative overhead = cost of risk).

Concurrently, UGG’s leadership team was wringing out as much cost from the system as possible. Between the capital requirements for the new elevators, a lengthy depressed operating environment, and reduced crop volumes, reducing cost throughout UGG was a critical objective. Risk management expenses were no exception.


Tracing its roots back to 1906 as a farmer-owned cooperative,11 UGG was a mature organization entrenched in its own bureaucratic business model. There were numerous business units operating under the UGG umbrella but all reporting in a hierarchical command and control structure straight to headquarters. By the early 1990s, the company had become financially distressed—UGG was in breach of its bank covenants and losing cash. Under consideration in 1990 was the idea of exiting or selling certain noncore business units. An internal study of one business (farm supplies) produced a stark picture of not only that single business, but an entire organization, including operations, and its unresponsiveness to customer needs. The report was a candid assessment of the organization that equated the firm to a geriatric patient 85 years old in need of major care if it expected to survive. Written by the future CEO, the report projected that without dramatic change the fluid and dynamic forces taking place in the entire agribusiness sector, coupled with UGG’s weak balance sheet, would simply overwhelm the cooperative in a matter of a few years.

The financial imperatives critical to survival were fixing the weak balance sheet, recapitalization, and addressing bank covenants that had been breached. Access to cash and the capital markets was of paramount concern. One way to access the capital markets efficiently was to demutualize and become a publicly traded company. While it literally took an act of Parliament to demutualize, UGG went public in 1993.12

The UGG Annual Report in 1994 indicated the transformational shift in think- ing by the new CEO that would set in motion a series of events that propelled the company to greatly improved operating and financial performance:

We have also taken definitive steps to organize our business so that the decisions which most affect customer service are made by the people who deal directly with customers. In the last year, we turned our organizational pyramid upside down. We can’t be prompt and effective in the era of market-driven agriculture if all the decisions that impact on customers are made by senior managers, sitting in Head Office, at the top of the organizational pyramid. In the country—in our core grain


and inputs businesses—we’ve tipped the pyramid over. Our management team now provides support and planning services to the people who deal with cus- tomers, therefore enhancing services. This change was perhaps the most profound rethinking of our business approach in many years.13

Improved operational and financial performance would not have been pos- sible without building an executive team of trusted partners who also embraced the need for change. Turning the pyramid upside down and allowing UGG staff interfacing with customers to respond quickly to their needs required a cultural shift—from the previously hierarchal management structure to one that delegated decision making and fostered personnel development. A new chief financial offi- cer, with working experience in publicly traded companies, was appointed to help develop and implement the financial disciplines and tactics necessary to achieve the company’s business strategy.

Turning the pyramid over to improve customer service also required a com- pletely new approach to management information technology (IT) systems.

Like the oil in an engine, lubricating support processes are needed for any busi- ness to operate smoothly. . . . UGG also eliminated its need for mainframe comput- ing over the past year. While the Company incurred the double cost of carrying both our new “client-server” and mainframe for a good part of fiscal 1995, from fiscal 1996 forward we will realize material benefits from this shift. UGG won inter- national recognition from the Smithsonian Institution for innovation in applying computing technology during 1995 for the successful completion of this project.14

Over the decade and a half following the decision to demutualize UGG, the transformation in management philosophy and the executive team’s implemen- tation of strategic decisions proved successful in realizing the company’s objec- tives: The confidence of the board of directors was gained progressively and cumu- latively and developed into an effective partnership with management; it was decision-making capital built up over time that created a culture of welcoming and listening to new and innovative ideas—ideas that could better serve UGG’s customers and other stakeholders.

Of course, no company has a straight line to success, and UGG was no excep- tion. The ERM program was one example. Before risks can be managed and oppor- tunities considered, they have to be identified. It is commonplace today, but, mind- ful of expenses and time constraints, the mandated (Toronto Stock Exchange, UGG Board, and CEO) risk identification process and subsequent risk rankings at UGG were accomplished in a single daylong meeting. The composition of this meeting exemplified the company’s departure from hierarchy: Participants were selected not by the seniority of their rank in the organization but rather for their knowledge and experience of the business; they ranged from frontline representatives to vice presidents, all given an equal opportunity and showing an equal propensity to con- tribute to the process. However, the road to ERM would take more than two years, which, once the company’s major risks were identified, included intense analysis, evaluation, and quantification of the company’s principal risks. There were head- winds along the way. The process was temporarily delayed by (1) a major flood in UGG’s home province and (2) a hostile takeover attempt by a combination of two

112 Implementing Enterprise Risk Management

competitors (which, after their failure to acquire UGG, merged to form Agricore Cooperative).

UGG did not embrace ERM as a risk management destination, but as (an important) part of a process that would support executive management’s risk- adjusted decision making. It evolved as a logical progression that had begun eight years earlier with the company’s strategic vision for its future and the development of a more inclusive management style.15

ERM/Integrated Risk Outcomes

The concept of developing an ERM process was new in the late 1990s. UGG started by identifying and assessing its principal risks. As indicated earlier, since the 1970s a substantial amount was already being done to control and measure the cost of property, casualty, liability, environment, safety, and loss control risks, in addition to potential (if unhedged) grain price exposure; the additional dimension was to apply the same systematic procedures to all the company’s major business risks.

The major risks were identified through the ERM exercise. Quantitative risk analysis confirmed (not unexpectedly) that weather had the greatest impact on UGG’s earnings, cash flow, and debt stability. Almost 100 years of data was avail- able on the Canadian prairies’ crop production levels; this revealed that major droughts, such as occurred during the late 1920s and early 1930s, could reduce grain production and, consequently, UGG’s grain handling volume in the subse- quent year by as much as 50 percent. Since this could pose a significant threat to UGG’s profitability, cash flow, and ability to control its debt level (and, therefore, investment plans), UGG’s senior finance, risk management, and treasury person- nel began searching for a means to control this risk at reasonable cost.

Two different approaches to the problem were explored: Aware that finan- cial derivatives might offer a solution, discussions were initiated with financial institutions; but none could be identified that were able to hedge the risk. UGG then began collaborating with its insurance broker, who conceived an insurance solution—a structure that incorporated the grain volume risk with all UGG’s tradi- tionally insured risks (property, casualty, freight, liability, etc.) into an “integrated risk-financing program.” UGG was intrigued by this concept, particularly since a quantitative analysis suggested that such a program would cost no more than the discrete insurance policies that UGG was currently buying—without grain volume insurance. UGG’s executive management worked closely with the broker and mar- ket to address this never previously insured exposure. Swiss Re, largely because of its expertise, capacity, and triple A financial rating, provided UGG with a ground- breaking integrated risk-financing program that applied to the various event risks that had previously been addressed by monoline traditional insurance policies, and a parametric risk solution tied to the expected volume of grain passing through UGG’s grain handling pipeline.

The effect of this on UGG’s potential financial stability was dramatic; while it “protected” (put a floor under) grain handling earnings that represented approxi- mately 50 percent of UGG’s total gross profits, it had an even greater proportion- ate effect on the company’s net profits and cash flow—providing, by stabilizing its debt structure, greater assurance of its ability to deliver on its strategic plan. The


Economist pointed out that “for a large chunk of its own equity, it [UGG] substi- tuted the imposing capital of the world’s largest reinsurer.”16

It is worth noting that while the financial media sometimes referred to UGG’s risk-financing program as ERM, this was a misnomer; it was in fact an inte- grated risk-financing program (combining multiple property and casualty risks with the grain volume coverage). It was UGG’s different approach to thinking about risk—considering both the upside as well as the downside from an enter- prise perspective—that was the ERM in the company’s process.

ERM CREDIT FINANCING OUTCOMES Given the high capital demands of grain handling infrastructure renewal, UGG was also concerned about its ability to finance the rapid growth in crop inputs retailing—specifically the burgeoning demand from farmer customers for extended credit. Within UGG, a division called Crop Production Services man- aged the retail sales and logistics of these products, which included the extension of UGG retail credit to farm customers. As the levels of working capital and asso- ciated risk in the credit program increased, UGG sought to bring it under more rigorous control by placing credit at arm’s length from the retail operation, and under the oversight of the corporate treasury.

A cultural shift gradually took place that ensured compliance with improved practices in credit extension, but growth continued to strain working capital. This was alleviated to some extent by renegotiating bank lines, and later by undertak- ing the first off-balance-sheet securitization of Canadian farm receivables, but then competition was driving retailers to use financing as a tool to promote sales—there was a competitive advantage in being able to provide credit terms that extended repayment until after harvest. Ideally, the solution was to retain some control over the credit product, and to have as much credit capacity as needed, at attractive terms, without putting a strain on the balance sheet.17

After lengthy exploration, this was finally accomplished by forming UGG Financial through a strategic alliance between UGG and Scotiabank. Essentially, UGG provided the customers, administration, and reporting while Scotiabank pro- vided the capital. UGG shared an equal level of risk with the bank with a hard cap18 on the maximum limit. UGG received significant fees from Scotiabank based on the performance of the portfolio. The results were dramatic, effectively freeing up to $200 million in capital, extending customer credit terms up to 12 full months, streamlining application processes and providing greater levels of customer ser- vice, and expanding product lines to livestock producers. It was also instrumental in enabling acquisitions of independent retailers’ accounts and the merger of UGG with Agricore Cooperative to form AU in 2001. This arrangement forced competi- tors to engage in similar outsourcing credit arrangements, and it became the stan- dard of the industry. When Saskatchewan Wheat Pool eventually acquired AU, the operation was extending $1.5 billion in credit to 20,000 customers and generating over $10 million in net profits annually.19

A third leg of UGG/AU’s activities was its Livestock Services division. Accounting for between 10 percent and 15 percent of the company’s business, its primary activity was the manufacture and sale of animal feedstuff, the largest segment being to hog farmers. Traditionally highly leveraged, hog farmers were

114 Implementing Enterprise Risk Management

vulnerable to cyclical fluctuations in hog prices. Learning from the statistical tech- niques employed in assessing UGG/AU’s other risks during the ERM process, col- laboration between corporate and divisional management identified an opportu- nity to use these methods to acquire a competitive advantage in supporting feed sales to hog producers.

By analyzing the hog price cycle, it became evident that there was an opportu- nity for UGG/AU to provide hog price risk management to customers who con- tracted to purchase their feed from the company. Provided that the customers met strict performance criteria (such as weight gain, morbidity, etc.), the com- pany would agree to support shortfalls in realized prices from a preestablished minimum until prices recovered sufficiently to recover the subventions, thus pro- tecting the producers’ cash flow. Clearly there was always a risk that the histor- ical pattern of the hog price cycle could prove an insufficient predictor of the severity or length of future price downturns; however, using statistical model- ing techniques, it was possible to stress test the company’s exposure to credit risk to ensure that the capital at risk did not exceed preestablished levels based on UGG/AU’s required return targets (on the associated feed sales). In this way, the company was able to promote its feed sales to high-performing producers with the quantitative intelligence to provide a high degree of assurance that it would achieve its return targets without excessive risk, secure in the knowl- edge that if competitors provided more attractive terms under any similar pro- gram they risked eroding their financial (and, therefore, long-term competitive) positions.20

Apart from the obvious risk mitigation provided by the integrated risk- financing program, it could be argued that the broader ERM project further increased UGG’s ability to take on more risk; as it gained a more precise quan- tification of the risks it faced, not only as individual risks but in aggregate, this improved understanding of its overall risk profile reduced the need for “precau- tionary capital.”21

While by no means all of the risks that UGG/AU confronted could be quan- tified (and could only be managed procedurally or avoided altogether), the quan- tification of its major risks substantially enhanced the company’s ability to model its anticipated financial performance. While weather could have a dramatic impact on the volume of grain produced, it could also have a significant influence on the volume, timing, and variety of seed, fertilizer, herbicide, and pesticide sales by the Crop Production Services division (e.g., an unusually wet spring that delayed planting could shift sales from one quarter to another, change farmers’ planting intentions, and alter their fertilizer, herbicide, and pesticide requirements for the entire crop year).

Such variability could substantially affect UGG/AU’s quarterly and annual earnings, even if the impact was not as dramatic as a full-blown drought. UGG had developed a comprehensive financial model of its expected earnings, debt lev- els, and cash flow. Prior to developing the intelligence derived from the quantifi- cation of its major risks during the ERM process, the model had, however, been one that produced average (or normal weather condition) projections—good for long-term planning but of limited use in the short term, as it did not anticipate the consequences of seasonal and year-to-year variability. Given the quantitatively


enhanced understanding of the potential range of earnings and cash flow derived from ERM, the company was able to model the complete range of its possible finan- cial outcomes. While this did not significantly enhance its understanding of its expected long-term average results, it did provide a powerful analytical tool: It identified its requirements for contingent capital with more precision; it provided a much better tool for judging its performance against its plans in a set of potentially variable conditions—an infinitely flexible budget; and it improved its capacity to respond appropriately to changing conditions that had, or might have, adverse financial implications.

ERM was also able to bring a more consistent and disciplined treatment of risk exposures across the organization. UGG became better positioned to allocate appropriate resources to ensure that the risks within the different divisions and activities of the company were not over- or undermanaged relative to the corpora- tion’s level of risk tolerance.22

AGRICORE UNITED As the solutions to UGG’s top risks started to pay financial dividends and improve its balance sheet, the management team began to apply enterprise-wide thinking to other areas that had been identified and to factor this competitive strength into its growth strategies. One of these was a merger with Agricore Cooperative, a rival grain processor whose predecessor companies had, three years previously, attempted a hostile takeover of UGG.23

UGG’s integrated risk-financing program proved a valuable tool during the merger negotiations: The potential to expand the program to the enlarged com- pany was perceived by Agricore Cooperative’s board of directors and members as a means of providing greater stability and security to the organization.

In practical terms, though, UGG Financial was a more powerfully persua- sive factor in the merger: Lacking UGG’s access to the capital markets, Agri- core Cooperative had become substantially overleveraged in the race to build high-throughput elevators and expand its crop inputs business in line with its competitors; consequently, the prospect of being able to roll up Agricore Cooper- ative’s receivables into UGG Financial was a very significant advantage for a com- bined company—removing, as it did, the need for some $300 million in financing from the combined company’s balance sheet (compared to the amount previously financed directly by Agricore Cooperative).24

HARVESTING VALUE Every publicly traded company is for sale, and the price is visible to everyone in the form of the stock price. While AU would have preferred to stay independent, the company received a buyout offer from the Saskatchewan Wheat Pool (SWP) that, under Canadian law, could not be ignored even though the initial offer was con- sidered by management to be woefully inadequate. The AU CEO and the board of directors, given their governance responsibilities, thought the offer could be sub- stantially improved or even countered by another suitor—one prepared to put a

116 Implementing Enterprise Risk Management

more realistic value on AU. The CEO believed there were three possible options that could create additional stakeholder value:

1. AU could make its own offer to buy out SWP. 2. AU could seek a white knight to counter the SWP offer, effectively creating

an auction that would produce the highest bid (i.e., provide the greatest possible increase in shareholder value).

3. Archer Daniels Midland (ADM) was a strategic partner and significant stakeholder in AU that had aided UGG in its defense of the hostile takeover attempt by Agricore Cooperative’s predecessor companies. ADM could be offered a proposal to increase its ownership position.

The CEO and the board of directors decided upon a strategy to pursue the first two options, which also offered the greatest flexibility to ADM.

As is usual in hostile takeovers, a team of advisers and investment bankers was hired by AU to analyze the company’s financial position and prospects and determine a fair value. At the same time, AU made a buyout offer to SWP that was rejected. After the evaluation was completed, it confirmed that AU was worth considerably more than the share-swap deal offered by SWP. The AU board of directors, which included representatives from ADM, rejected the buyout offer. One of the AU board members then made an overture to Richardson Interna- tional, Canada’s next largest agribusiness, to determine its interest in acquiring AU. Richardson International offered a friendly all-cash offer higher than the offer from SWP. Not to be thwarted in its takeover attempt, SWP countered with a higher all-cash offer. This had the effect of creating an auction process where the price for the AU stock reached a level prompting ADM to make a strategic decision. ADM could increase its holdings in AU and assume control or could sell them at a substantial profit to shareholders, knowing that AU was going to be sold to either SWP or Richardson International. Finally, the highest bid was an all-cash offer from SWP.25

After the buyout was complete in 2007, SWP changed the name of the com- bined company to Viterra, Inc., and continued to operate until being acquired by Glencore International on January 1, 2013.26

CONCLUSION Thomas Edison once quipped: “Vision without execution is hallucination.” Turn- ing the organizational pyramid upside down initiated a transformation in the company—a process starting with the formulation of a strategic plan, then trans- forming the culture of the organization, and finally demanding execution of that plan. Without execution, innovative ideas tend to die on the vine. While one aspect of the organizational vision was intended to be operational—improving customer service—another (more subtle) effect was to transform the entire culture of the company. The cultural shift to a leadership that was aligned in their goals made for quicker and better-informed decision making. UGG and its successor com- pany AU did not just become more responsive to the needs of customers; the new culture developed greater collaboration between senior and middle management


teams, and delegated responsibility to them for their decisions. This collabora- tive but accountable environment allowed a number of innovative solutions to the company’s business challenges to be created: developing new (client-server) computing, early adoption of the ERM process, the subsequent groundbreaking risk-financing program, and the creation of UGG/AU Financial—not just indus- try firsts that spawned imitators but also initiatives that significantly added value to the corporation.

QUESTIONS 1. Why does a more participative management style (“tipping the pyramid over”) lead to

greater responsiveness to customers’ needs, increased accountability, and more innova- tive solutions to challenges than a hierarchical “command and control” structure?

2. Under what circumstances might the hierarchical “command and control” structure pro- duce superior results?

3. What particular factors do you believe led UGG/AU to be pioneers in ERM? Was it industry/company/history/circumstances? Was it a changed organizational “culture”? Was it good management?

ACKNOWLEDGMENTS This chapter could not have been written without the extensive cooperation of the following:

Peter G.M. Cox, Former Chief Financial Officer, Agricore United Brian Hayward, Former Chief Executive Officer, Agricore United Michael McAndless, Former Chief Risk Officer, Agricore United George Prosk, Former Treasurer, Agricore United

NOTES 1. “Whatever the Weather,” CFO, June 2000. 2. “Outsourcing Capital,” The Economist, November 1999. 3. “United Grain Growers Ltd. (A),” Harvard Business Publishing, August 2003. 4. United Grain Growers Ltd as of December 2, 1999, Yahoo! Finance stock chart. 5. The CWB was created in 1935—with antecedents going back to before World War I—as a

mandatory producer marketing system for wheat and barley grown in Western Canada. It was illegal for farmers under CWB jurisdiction (anywhere in Western Canada) to sell their wheat and barley through any channel other than the CWB. The CWB became a voluntary marketing organization only in 2012.

6. Interview with Peter Cox. 7. Agricultural Futures Markets. 8. Pulse crops are peas, beans, and lentils. 9. In 1994 a committee sponsored by the TSX published a report (the Dey Report) contain-

ing corporate governance recommendations to TSX-listed companies. In 1995 the TSX adopted them as “best practice guidelines.” Although the guidelines were not manda- tory, the TSX did require listed companies to disclose annually their approach to corpo- rate governance and provide an explanation of any differences from the guidelines.

118 Implementing Enterprise Risk Management

10. Virtually all grain purchases not matched by sales contracts, as well as sales contracts for which the company did not have purchased grain, were hedged using derivatives on long-established international grain exchanges, while very limited, unhedged positions had been closely managed and supervised for many years.

11. UGG was formed in 1917 by the merger of the Grain Growers’ Grain Company, founded in 1906, and the Alberta Farmers’ Co-operative Elevator Company of 1913.

12. The United Grain Growers Act was approved by the Canadian Parliament in 1992, allowing UGG to become a public company with both members (the former cooper- ative’s members) and public shareholders.

13. 1994 UGG Annual Report, Chief Executive’s Report, and interview with Brian Hayward. 14. 1995 UGG Annual Report, Chief Executive’s Report, and interview with Brian Hayward

and Peter Cox. 15. Interview with Michael McAndless. 16. “Outsourcing Capital.” 17. Interviews with Peter Cox and George Prosk. 18. A “hard cap” means that there is a fixed upper limit on the amount of risk that UGG

would absorb. 19. Interviews with George Prosk and Peter Cox. 20. Interview with Peter Cox. 21. Interviews with Peter Cox, Brian Hayward, and Michael McAndless. 22. Interviews with Peter Cox, Michael McAndless, and George Prosk. 23. Interview with Brian Hayward. 24. Interview with Peter Cox. 25. Interview with Brian Hayward. 26. Various announcements in financial media.

ABOUT THE CONTRIBUTOR John Bugalla is Principal of ermINSIGHTS, an advisory and training firm special- izing in enterprise risk management and strategic risk management. His experi- ence includes 30 years in the risk management profession serving as Managing Director of Marsh & McLennan, Inc., Willis Group, Plc., and Aon Corporation before founding ermINSIGHTS. He led the Willis team that negotiated the inte- grated risk program on behalf of UGG. He is the author or coauthor of numerous articles in diverse publications such as The Corporate Board magazine, CFO maga- zine, the National Law Review, Credit Union Management magazine, Risk Management magazine, the Journal of Risk Management in Financial Institutions, and the Journal of Risk Education.


Housing Association Case Study of ERM in a Changing Marketplace JOHN HARGREAVES Managing Director of Hargreaves Risk and Strategy

This case has two main aims. The first is to help develop an understanding ofthe importance of enterprise risk management (ERM) in a charitable context,and show that modern charities are often very active organizations that face significant risks. Second, the case aims to illustrate the need for a close relationship between risk assessment and strategy development, particularly in sectors where objectives are defined in social as well as in economic terms. This case features four real-life charitable housing associations in England and Wales, each with a different strategy and risk environment. Simple yet practical tools to assist in risk identification and prioritization are also presented.

BACKGROUND The UK housing market is going through a difficult period. The number of house- holds is expanding by 250,000 per year, but the rate of house building is only half of what it needs to be. There is a tradition of home ownership, but the banking sector has recently not been able (or willing?) to fund further growth, and home ownership has fallen to its lowest level for two decades. Young working people who would previously have taken out a mortgage and bought their houses are now turning to renting. There is an urgent need to provide ordinary working peo- ple with good quality homes; the private rental market provides homes of mainly low quality, and market rents are increasing to unaffordable levels.

About one-fifth of the United Kingdom’s housing is owned by housing associ- ations, independent charities that until recently have specialized in so-called social housing (i.e., rental accommodation for the United Kingdom’s poorest people). The quality of this housing has been significantly improved over the past few years to meet the United Kingdom’s Decent Homes Standard.1 There are about 2,000 asso- ciations, of which 250 own more than 1,000 homes each. Currently, their tenants are mainly nominated by local authorities using prioritized waiting lists. Their rents are set at about 40 percent of market rent, and quite a high proportion of these


120 Implementing Enterprise Risk Management

rents are paid from welfare payments. However, £10 billion worth of welfare cuts are now being implemented, with a further £10 billion still in the pipeline. This, together with a stagnant economy, means that housing associations’ tenant com- munities are now under significant financial stress. In the past year the associations have built a total of about 40,000 houses, mostly for rental, largely using finance from the bond market, to the tune of over £3 billion.

The building of new social housing stock has historically been subsidized by government capital grants, but these have now been reduced both in number and in value, and a typical grant (with strings attached) now covers only about 15 percent of the building cost. Now only about 40 percent of the housing asso- ciations’ house building is utilizing the small grant subsidies available under the government’s Affordable Homes program, to be let at rents between 60 percent and 80 percent of market rent.

In recent years, housing associations have been expanding into new product areas, including:

� Building houses for sale � Low-cost home ownership (the association owns part of a house, on which

the tenant/owner pays a low rent, and the tenant/owner owns the rest, which is financed by a mortgage; the tenant/owner progressively buys his or her share from the association, and repays the mortgage, usually over a period of 25 years)

� Market renting � Intermediate market renting, where rent levels are set somewhere between

social and market rents, for key worker tenants such as nurses, teachers, and police officers

� Services for elderly people, such as old persons’ homes and visiting support services

� Nursing homes and student accommodations � Providing services, such as building maintenance and servicing tenant

repair requests, on a contract basis for other associations

SECTOR ISSUES Each association has its own board, with a large degree of independence. The board members of most large associations are paid for their services, but in smaller associations their participation is voluntary. The sector is regulated by the Homes and Communities Agency (HCA), but only in respect of governance and viability, not the quality of service provided. Most associations cover small local areas, but increasingly associations are amalgamating to give them a regional, rather than local, coverage. The boards of housing associations now have to make difficult strategic decisions, and different associations are adopting contrasting strategies according to their individual circumstances and risk appetites. Their environment is now much riskier than previously, and all of the available strategies are riskier than the typical association is used to. The choice is broadly between four generic strategies:

1. To concentrate on continuing to provide good quality housing services to existing social housing tenants and their replacements, in a situation where


local authority financing is being cut by up to 28 percent and support ser- vices are therefore likely to be cut. This policy helps those in need, reduces leverage, and conserves resources that could be used to support a more expansive policy in a better socioeconomic climate.

2. To invest in various social services on the borderline between the pri- vate and public sectors with the aim of increasing human or environmen- tal well-being, and in particular regarding employment generation and support.

3. To expand in the affordable rent market, by using a mix of external capital and grants, and by cross-subsidy through progressively transferring exist- ing social-rent housing onto a higher rent level.

4. In areas of high housing demand such as London, to develop high-volume housing for sale or at full market rent, and also to build houses where the tenants pay a rent sufficient to allow them to accumulate a financial interest in the property. An association, in employing this strategy, would typically have a culture similar to that of a commercial developer.

There are a number of issues currently causing concern in the sector; in partic- ular:

� The government currently pays housing welfare benefits to landlords where the tenant qualifies to receive the benefit. This means that the risk of ten- ant rent arrears is much reduced. In the future, to encourage a culture of self-sufficiency, the government will pay benefits directly to tenants, and expect them to pay their own rents. Only if rent arrears reach a level of two months will the government resort to the payment of a tenant’s rent to the landlord.

� Benefit levels are being reduced, and more pressure is being put on recipi- ents to find work.

There is an acute housing shortage in London and the South East of England, which the sector is struggling to meet. In the north of the country the housing market is weak, with some economists being of the opinion that many houses are overvalued. In the event that there is another depression or a reversion within the present one, or a sudden increase in interest rates, then there is a danger of a down- ward correction in house prices.

Some associations were set up several years ago to take over local authority houses, then in poor condition, and bring them up to the Decent Homes Stan- dard using long-term bank financing specifically tied to this (low-risk) purpose. The Decent Homes Program was successful, with the required standard gener- ally being attained by 2012. However, often the bank financing has covenants that prevent the association from borrowing more money to branch out into riskier activities without the need for refinancing their existing lending at higher inter- est rates, typically 1.5 percent greater than their existing finance. For these associ- ations, known as large-scale voluntary transfers (LSVTs), a decision is needed as to whether they should stick with their knitting and limit their investment in new houses to what they can generate internally, or bite the bullet and pay the extra margin for new loans to fund an expansion.

122 Implementing Enterprise Risk Management

In some respects the position of the sector is relatively stable, since the demand for its core product would be expected to increase in adverse economic times. However, the sector’s finances are finely balanced, with its borrowing subject to profitability and leverage covenants, so it may be vulnerable to sudden changes in economic conditions, and in particular:

� To an economic downturn if this were to be accompanied by a sudden fall in house prices, since there could then be losses on houses being built for market sale.

� To a sudden hike in interest rates, if this were not accompanied by an equiv- alent increase in inflation. About two-thirds of the sector’s borrowing is at fixed interest rates, thus reducing this risk. Also, the social housing rent lev- els of a typical association are tied to the United Kingdom’s consumer price index (CPI), so if the interest rate rise were accompanied by an increase in inflation, as has commonly been the case in the past, the risk would also be covered. However, there remains a chance that a sudden change in mone- tary policy could result in interest rate increases without an accompanying increase in inflation rates, possibly accompanied by a sudden fall in house prices.

CHARITABLE STATUS Housing associations are registered as charitable organizations under the UK Charities Act of 2006, being set up to provide public benefit by relieving poverty, developing communities, and supporting people who are in need by reason of their age, ill health, financial hardship, or other disadvantage. Most of them make substantial surpluses, which they retain and use for their charitable purposes. As charities, they are exempt from paying UK corporation tax. Housing associations often also engage in noncharitable activities such as market renting or building houses for sale by setting up noncharitable subsidiaries, which then will gift any profits made to the parent charity, which then exempts the subsidiary from having to pay corporation tax. Public donations do not comprise a significant part of the sector’s cash flow.

Sector Risks

The housing association sector is regulated by the Homes and Communities Agency (HCA). The HCA has extensive powers to intervene if it believes an association is being poorly governed or its viability is threatened. Most associa- tions are highly leveraged, and the presence of an efficient regulatory activity is viewed by the financial sector as extremely important in supporting its lending. To date, the regulatory system has been unbelievably successful—while a num- ber of associations have gotten into difficulties over the past 25 years, in no case has a financial institution made lending losses, and there has been only one case of serious default. The regulator adopts a co-regulatory approach, which “gives providers full responsibility for managing their own businesses, including their own risks. The role of the regulator is to seek assurance on how those risks are being managed.”2


The regulator’s view of the financial risks facing the sector is that:

The model of social housing that has existed for approximately 25 years is chang- ing. Boards of providers more than ever need to be aware of the risks and choices they face in order to meet their objectives. They also need to understand the interac- tion between the various risks and their overall “portfolio” impact. An approach to risk that considers issues in isolation is unlikely to be effective in the current operating environment. . . . The risks can be summarized as:

� Asset-related risks, including risks associated with: � Development � Diversification into other activities � Exposure to the housing market � Maintaining existing stock

� Liability-related risks, including risks associated with: � Existing debt (gearing, loan covenant, and repricing issues) � Mark-to-market exposure � IFRS � New forms of debt

� Income-related risks, including risks associated with: � Affordable rent � Welfare reform � Supporting people

� Cost-related risks, including risks associated with: � Pension issues � Differential inflation rates

The relative importance of each of these risks and their interaction with each other will depend on the precise business models and stock holding patterns of individ- ual providers.

SOME USEFUL METHODOLOGY The following are some notes on two risk techniques that have been found to be useful in the sector.

Risk Appetite Determination

The sector has had a number of cases where associations have taken on rather more risk than their risk capacity allowed. As part of the process of establishing the con- text for risk management in the sector, answering the following questions has been found to be helpful:

Q1: How much risk do we think we are taking (risk perception)? Q2: How much risk are we actually taking (risk exposure)?

What evidence have we got that the assessment is correct? If there are gaps, biases, or incorrect assessments in the risk map, our perception will be incorrect.

Q3: How much risk do we usually like to take (risk propensity/culture)? If this is less than Q1, then we will feel uncomfortable.

124 Implementing Enterprise Risk Management

Exhibit 8.1 Sample Probability Scale

Probability Score Description Range

5 Very high More than 90% 4 High 31% to 90% 3 Medium 11% to 30% 2 Low 3% to 10% 1 Very low Less than 3%

Q4: How much risk could we safely take (risk capacity)? This should be bigger than Q1, Q2, and Q3. It mainly depends on financial strength and covenants, but also a view of response speeds should things start to go wrong.

Q5: How much risk do we think we should be taking (risk attitude)? We may feel we should be doing things but we don’t currently have the capacity to do them.

Q6: How much risk do we actually want to take (risk appetite)? This is perhaps a compromise!

Q7: How do we set controls and limits across products and parts of the busi- ness, so that we can be confident that our total risk appetite is not exceeded (risk limits)?

Risk Assessment Methodology

There are technical difficulties in assessing the risks in housing associations, largely concerned with their mix of financial and social objectives. A successful approach to risk assessment for the sector has been developed, as described in Chapter 13 of Fraser and Simkins (2010) and summarized in Exhibits 8.1 and 8.2.

It is difficult to assess a risk that has several types of impact, but the task is considerably simplified if you use a clear set of criteria3 such as those given in Exhibit 8.2.

When using the scale in Exhibit 8.2 to assess a risk, one should decide which is the highest type of impact and make the assessment based on the assessed level of this type of impact. Thus if a risk has mainly staff impact, and many staff are significantly affected, then the risk would be recorded as impact score 4. Similarly, if another risk would result in major reputational damage, the score would be 4. However, if a risk has two or more types of impact at the same level, then the score would be one degree higher (i.e., a score of 5 in the example).

FOUR ASSOCIATIONS The case considers the strategy choice, risk analysis, and risk appetite of four asso- ciations:

1. Large London association (London & Quadrant, 70,000 housing units) This is one of the largest associations with a very strong financial

position. It is following an aggressive development policy with a mix of

E xh

ib it

8. 2

Sa m

pl e

Im pa

ct Sc

al e

Im p

ac t

S co

re D

es cr

ip ti

on S

tr at

eg ic

Fi n

an ci

al %

of Tu

rn ov

er C

u st

om er

s an

d S

ta ff

R ep

u ta

ti on

al L

eg al

/R eg

u la

to ry

5 V

er y

hi gh

M aj

or im

pa ct

on d

ir ec

ti on

of bu

si ne


A bo

ve 10

% C

om pu

ls or

y tr

an sf

er of

as se


4 H

ig h

M aj

or im

pa ct

on im

po rt

an t

bu si

ne ss

ob je

ct iv


3. 1%

to 10

% Si

gn if

ic an

ti m

pa ct

on m

an y

cu st

om er

s or

st af


M aj

or ad

ve rs

e pu

bl ic

it y

an d

ex te

rn al

in te

re st

w it

h d

am ag

e to

re pu

ta ti

on an

d /

or lo

ng -t

er m

im pa


Pr os

ec ut

io n/

re gu

la to

ry su

pe rv

is io


Si gn

if ic

an tr

es ou

rc e

to re

ct if

y 3

M ed

iu m

N ot

ic ea

bl e

im pa

ct bu

tb us

in es

s st

ill on

co ur


1. 1%

to 3%

N ot

ic ea

bl e

im pa

ct L

on ge

r- te

rm ad

ve rs

e pu

bl ic

it y,

lo ca

lly co

nt ai

ne d

L os

s of

re gu

la to

ry ap

pr ov


2 L

ow M

in or

im po

rt an

ce 0.

3% to

1% M

in or

or sh

or t-

te rm

pr ob

le m

s Sh

or t-

te rm

lo ca

l ad

ve rs

e pu

bl ic

it y

M or

e se

ri ou

s br

ea ch

bu tn

o lo

ng -t

er m

im pl

ic at

io ns

1 V

er y

lo w

L es

s th

an 0.

3% Im

pa ct

bo th

m in

or an

d sh

or t-

te rm

N o

ad ve

rs e

pu bl

ic it

y M

in or

br ea

ch of

le ga

l/ re

gu la

to ry

re qu

ir em

en ts


126 Implementing Enterprise Risk Management

intermediate rent, market rent, and houses for sale in order to meet the expanding housing needs of London and the prosperous South East. It has invented a number of innovative financial instruments and renting regimes to make this high rate of expansion possible.

2. Medium-sized South Wales association (RCT Homes Limited, 10,000 hous- ing units)

Based in the Welsh valleys to the north of Cardiff, an area of acute depression, this association has set up a number of social enterprise sub- sidiaries to help provide employment in the area. The association is also participating in a risky joint venture hoping to build 1,000 units mainly in the northern hinterland of Cardiff, the prosperous Welsh capital.

3. Specialist association (Ability Housing Association, 550 housing units) This association provides housing and support services to disabled peo-

ple living in the South of England. It works in partnership with other agen- cies to help deliver flexible and tailored housing and support for people who want to live more independently. Its housing stock comprises mostly either wheelchair-standard housing or supported housing for people who need additional care or support.

4. Medium-sized association in the prosperous corridor to the west of London (GreenSquare Group, 11,000 housing units)

The GreenSquare Group was originally formed in 2008 from two asso- ciations (Westlea Housing Association and Oxford Citizens Housing Asso- ciation). Another Oxford-based association, Oxbode, joined the Group in November 2012. The Group has achieved an improvement in administrative efficiency and the development of product expertise, with a mixed portfolio of housing product lines and support activities.

ASSOCIATION A: LONDON & QUADRANT Quadrant Housing Association was set up in 1963 by a group of young profession- als who found out about the plight of the homeless in London, bought a house, and converted it into three flats. Initially the association operated from a church crypt, but by 1972 it had its own office and a portfolio of 1,300 homes. In 1973 it merged with the London Housing Trust, which had been set up in 1967, and by 1979 London & Quadrant (L&Q) had 6,000 homes. Quadrant Housing Finance was set up as a subsidiary of L&Q in 1997 to raise funds in the capital markets, and the expansion continued. L&Q now owns and manages about 70,000 homes in London and the South East and employs 1,200 staff.

Mission Statement Our mission is: Creating places where people want to live. For us that means two things:

1. Maximising resident satisfaction with our homes, services, and neighbour- hoods.

2. Responsible growth through new, sustainable investment models and new housing options that increase choice and mobility.


Both of these are vital to our continued success as the leading provider of affordable homes and services in London and the South East.4

Perceived Risks The Board considers the following risks the most likely to affect future performance and our ability to achieve our five-year plan:

� Welfare reform: L&Q has allocated time and resources to understand the longer-term risk of welfare reform. We are working with local authorities to identify residents who will be affected and contacting them to ensure they are aware and prepared. Our focus has now turned to managing the transition. This includes targeting higher risk accounts, the recruitment of additional staff to deal with increased debt, and the creation of a financial inclusion team to support residents.

� Land cost inflation: We have embarked on a progressive development strat- egy to give us the flexibility to adapt in a fluid marketplace. Returns from private sale and rent portfolios reduce the impact of increased land costs on our affordable housing pipeline. L&Q has adopted a shared risk approach, where appropriate, through joint ventures to counter the impact of land cost inflation.

� Sales/mortgage availability: We adopt a bespoke marketing and sales strat- egy for each new development and undertake scenario modelling based on revenue and cost fluctuation. We work with mortgage lenders to ensure potential customers have access to advice on how much they can borrow and the range of products available. We also undertake market research to ensure the products offered meet market requirements.

� Withdrawal of capital grant funding beyond 2015: We have developed a sustainable cross-subsidy model for new homes, supported by our annual surplus. Our development strategy assumes no additional capital grant.

� Health and safety: A dedicated health and safety team supports all of L&Q activities. . . . The Group Board receives an annual report on progress against our health and safety strategy.

� Business continuity: We have effective IT and logistical back-up arrange- ments in place to ensure business continuity following a major event such as a fire. In particular L&Q has a disaster recovery data centre. This provides real time data replication along with capabilities for hosting our telephony and email in the event of a major incident.

� Protection of charitable assets: Our financial strategy includes sensitiv- ity analysis and performance indicators. These demonstrate that non- charitable activities do not place our charitable assets at risk. All non- charitable projects require Board approval and include exit plans. L&Q will respond to regulatory thinking and requirements as they develop.

� Rent control: L&Q is working with Shelter on its Stable Rental Contract. This involves market rent increases pegged at a percentage over CPI or RPI (Retail Price Index) combined with longer-term (probably five year) tenan- cies. In the worst scenario, current exposure to market rent is limited as a proportion of total housing stock. A greater risk relates to further rent con- trol for existing social rented homes. Any adverse change would be met with a reduction in our development appetite.

� Property prices: Savills predicts zero percentage growth in London during 2013 but over 25 percent growth over the next four years. L&Q’s financial

128 Implementing Enterprise Risk Management

strategy tests a worst case scenario twice yearly and concludes that a 25 percent reduction in house prices will not have a material effect on our covenants. Whilst property prices have fallen by more than 25 percent once over the last 30 years, and taken nearly a decade to recover, L&Q is a long- term property investor and able to withstand such events. We are able to delay construction and move completed homes into alternative tenures rather than sell at a loss. Finally we may also see a fall in land prices as an opportunity to invest for the future.

� Impact of austerity/welfare reform on resident satisfaction: Welfare reform combined with continued austerity measures could have an adverse impact on the outlook of residents and their general satisfaction. Resident satisfac- tion is a top priority for L&Q. We have put in place a service improvement plan that will deliver sustainable improvements through investment in our social mission, our culture, systems and process change.

The summarized financial statements of London & Quadrant for the previous five years are presented in Exhibit 8.3.

Choices Made in 2012/2013

To help relieve London’s housing shortage, the size of the L&Q development pro- gram has been increased in the past year from £1.25 billion to £2 billion, and there are now 12,000 homes in the program, of which £250 million is for 1,000 homes for rent at market rates. This represents a quickly accelerating growth rate—in 2012/2013 L&Q completed 1,444 new homes, 952 of which were for social rent, 25 were for affordable rent, 222 were low-cost home ownership homes, 201 were for market sale, 10 were for private rent, and 34 were for intermediate rent. L&Q’s in-house contractor, Quadrant Construction Services, handled over 231 of these homes, with a further 465 in progress at year-end.

In 2011 L&Q committed £100 million to the newly launched L&Q Foundation to tackle the disadvantaged by supporting projects that help people access train- ing and employment, give opportunities to young people, provide guidance and support with managing finances, and build stronger communities.

In 2012/2013, over 4,000 people benefited from activities supported by the Foundation; £10 million was spent as follows:

� £5.6 million on community activities � £1.9 million on giving residents financial advice and supporting Citizens

Advice Bureau and Credit Unions � £1.4 million on schemes to increase resident employability � £1.1 million on youth schemes

ASSOCIATION B: RCT HOMES RCT Homes Limited is the largest social landlord on Wales and winner of Business in the Community’s Welsh Company of the Year 2012 Award. RCT is based in Pontypridd, in the Welsh county borough of Rhondda Cynon Taf, situated at the confluence of the Rhondda and Cynon Taff valleys. The town is famous for its old bridge, which, when it was constructed in 1756, had the longest single-span


Exhibit 8.3 Financial Performance of London & Quadrant

Panel A: Income and Expenditure Account Income and expenditure account

(£ million) 2013 2012 2011 2010 2009 Turnover 457 368 327 330 306 Operating costs and cost of sales (238) (243) (240) (276) (224) Operating surplus 181 144 89 87 66 Net interest charge (70) (65) (62) (43) (41) Surplus on disposal of assets 11 16 17 17 12 Taxation (4) — — — — Surplus for the year after tax 118 95 44 61 37

Panel B: Balance Sheet Balance sheet (£ million) 2013 2012 2011 2010 2009 Housing properties at cost less

depreciation 4,787 4,618 4,411 4,247 4,023 Social housing and other grants (2,625) (2,564) (2,515) (2,336) (2,215) Subtotals 2,162 2,054 1,896 1,911 1,808 Other tangible fixed assets and

investments 144 51 55 53 28 Net current assets 395 340 457 355 196

2,701 2,445 2,408 2,319 2,032 Loans due after one year 1,877 1,749 1,779 1,880 1,667 Other long-term liabilities 249 216 186 28 12 Cash flow hedge reserve (93) (77) (24) (28) (42) Revenue reserve 668 557 467 439 395

2,701 2,445 2,408 2,319 2,032

Panel C: Cash Flow Statement Cash flow statement (£ million) 2013 2012 Net cash inflow from operating

activities 141.3 123.3 Interest paid/received (93.1) (83.1) Capital expenditure House construction and purchase (146.5) (177.2) Capital reinvestment in existing

stock (49.9) (70.2) Capital grants received 57.4 65.2 Purchase of other assets (95.8) (1.3) Sale of fixed assets 26.5 36.1 Subtotal (208.3) (147.4) Cash outflow before financing (160.1) (107.2) Cash withdrawn from term deposits 56.9 26.2 Financing Loans received 250.0 — Loans repaid (135.5) (3.4) Increase/(decrease) in cash and

cash equivalents 11.3 (84.4)


130 Implementing Enterprise Risk Management

Exhibit 8.3 (Continued)

Panel D: Financial Ratios and Statistics Financial ratios and statistics 2013 2012 2011 2010 2009 Operating margin on social

housing lettings 46% 46% 34% 37% 31% Operating margin—all

activities 40% 39% 27% 26% 22% Interest cover—excl asset

sales & disposals 212% 211% 142% 202% 161% Interest cover—incl asset

sales & disposals 277% 244% 170% 242% 190% Net gearing 56% 53% 51% 53% 56% Operating cost per unit

managed £ 2,900 2,700 3,200 3,100 3,300 Net debt per unit managed £ 25,400 23,700 22,600 23,400 22,700 Homes managed (000’s) 70.1 68.6 67.1 62.1 60.6 Estimated open market value

of homes £ bn 12.0 10.8 10.3 9.4 8.5

Panel E: Product Profitability 2013

2013 Operating Turnover Surplus

Product profitability £m £m Social housing

General needs 274.7 131.9 Supported housing 22.5 5.9 Intermediate market rent 16.2 8.0 Low-cost home ownership 49.7 19.6 Affordable rent 4.4 (0.3) Other social housing activities

7.1 (4.8)

Community investment 0.2 (9.8) 374.8 150.5

Other Outright sales 76.4 27.2 Market rent 2.6 1.4 Student accommodation 2.5 1.0 Commercial 0.5 0.5

Total 456.8 180.6

Disposal of fixed assets 11.5 Interest payable/receivable (69.3) Other (0.3) Tax (4.4)

Surplus for year after tax 118.1


stone arch in the world. The coal mines that formerly were the basis of the area’s economy were closed in the 1980s, and it has been difficult to attract new industry. In Rhondda Cynon Taf, the unemployment rate and the proportion of people of working age claiming benefits remain about 50 percent greater than in other parts of the United Kingdom.

RCT Homes was set up in 2007 to take over the ownership and management of more than 10,000 homes in the borough, which had been allowed to get into bad condition. In particular, over 30 percent of them did not meet the Welsh Housing Quality Standard, which the Welsh government said should be satisfied by the end of 2012. The performance of some services that tenants had been receiving was also well below the standard they had a right to expect.

RCT is a community mutual organization with nearly 5,000 members and a board comprising 15 people: five tenants, five members nominated by the Rhondda Cynon Taff Council, and five independent members. Board members are not paid. RCT now employs more than 500 staff and has four unregistered subsidiary companies—Meadow Prospect, Grow Enterprise Wales (GrEW), Homeforce, and Porthcwlis.

At transfer, funding was agreed from the government and from Lloyds Bank to pay for the required works, and 86 performance promises were made to ten- ants. Eighty promises, including achievement of the Welsh Housing Quality Stan- dard, were signed off as delivered by the RCT Homes Members’ Forum and the local authority ahead of schedule in December 2012, and RCT has written to every household to inform tenants and invite challenge.

The RCT Subsidiaries5

RCT has a strong wider social agenda—encompassing financial, social, and digital inclusion and employment and addressing health inequalities—aimed at building individual and community capacity to improve tenancy and neighborhood sus- tainability. Some of these aims are planned to be realized through the four RCT subsidiaries.

RCT Homes has major pipeline proposals for development of new homes via its new development subsidiary, Porthcwlis, working with the Cardiff developer, Bellerophon. The proposals are at an early stage of development, and no homes have yet been completed. A new financing and delivery vehicle has been pro- duced, which has secured £1 billion of private sector finance and which, it is hoped, will enable the public sector, housing associations, and private developers to come together to build many affordable homes without the need for capital grant fund- ing from the Welsh government. An initial development of four homes, the first of a pilot for 30 homes at Cwmbach in the Cynon Valley, is now in progress.

Meadow Prospect, RCT’s regeneration charity, delivers community- enhancing regeneration projects by working with partner organizations. These support three core objectives:

1. Community capacity building projects, including youth work and sup- ported employment programs

2. Community-based renewable energy projects 3. Social enterprise development

132 Implementing Enterprise Risk Management

Grow Enterprise Wales (GrEW) is an award-winning social enterprise sub- sidiary of Meadow Prospect that aims to move local people closer to the workplace by offering work experience and basic life skills training.

Homeforce was set up in 2010 as a subsidiary to carry out annual gas safety checks, which are mandatory under current safety legislation, and gas-based responsive repairs. RCT Homes Group Board agreed in 2012 that Homeforce would expand to become the sole contractor for boiler and heating installations and would undertake half of the electrical improvement works program. Home- force also became the appointed contractor for the completion of the power flush- ing program, which forms part of the long-term maintenance program of the cur- rent stock in RCT Homes’ properties.

The Sheltered Housing Remodelling Programme, being achieved within the parent company is a major program for the remodeling of RCT’s sheltered housing accommodation for the elderly. This continued in 2012/2013 with the commence- ment of works in seven schemes. In 2012/2013, £9.2 million was spent, with a total of £12.4 million having been spent since transfer on improving sheltered accom- modation. A further two schemes are planned to commence in 2013/2014.

Perceived Risks

The quotations that follow are from the RCT Homes 2012/2013 Group financial statements:

During 2012 the group risk map was developed to ensure it has a greater strategic focus. It identifies the following risks and challenges to the Group:

� Welfare Reform—As previously stated the changes proposed to welfare benefits will significantly change the UK housing sector and will place increased financial pressure on tenants and subsequently us. Direct pay- ments to tenants increase the risk of our bad debt provision increasing and we will need to find innovative ways to keep cash collection rates at an acceptable level.

� Rent Restructure—The consultation document issued by Welsh Govern- ment in 2011 indicated that our rent envelope is lower than the current aver- age rents charged across the borough, resulting in lower rent increases than those currently included in the business plan. The implementation of the new regime has been delayed until April 2014. This risk coupled with Wel- fare Reform has the potential to have a major impact on the rental income of the Group.

� Sheltered Remodelling Programme—As the project continues we need to ensure specifications are clear and build costs remain within budget. We need to ensure the preferred models are future proofed and fit for purpose whilst at the same time ensuring value for money. Active financial manage- ment, planning, and tenant input will be key to the success of this project.

� Impact on New Build to the Group—We currently have permission to pilot 200 properties through the framework operated by Porthcwlis. Any further increase in volumes will need consent from our funders.

� Expansion of Homeforce—As Homeforce expands into new work streams and begins to operate outside of the Group, we need to ensure growth is manageable in terms of resources and working capital. Asset investment


will need to be closely managed to ensure cash does not become over committed and profitability on contracts is maintained.

� Long-Term Financial Viability of GrEW—Work is in progress to reduce costs within GrEW and expand its customer base to make the business more financially secure. During this time Meadow Prospect will continue to sup- port its subsidiary.

The summarized financial statements of RCT Homes for the previous five years are presented in Exhibit 8.4.

RCT Homes entered into a value-added tax (VAT)6 shelter coincident with the date of transfer of the housing stock, to carry out an agreed schedule of refurbish- ment works to the properties. The value of these works was £359 million. The cost to the borough council of contracting for these works to be undertaken was offset

Exhibit 8.4 Financial Performance of RCT Homes

Panel A: Income and Expenditure Account Income and expenditure account (£

million) 2013 2012 2011 2010 2009

Turnover 45.9 44.6 43.6 40.0 36.6 Operating costs (33.0) (38.5) (29.6) (28.0) (27.1) Operating surplus 12.9 6.1 14.0 12.0 9.5 Net interest charge (1.4) (0.5) (0.0) (0.5) 0.3 Surplus on disposal of assets 0.5 0.4 0.5 0.5 1.8 Actuarial (loss) on pension scheme (0.1) (3.8) (4.0) (1.3) (6.2) Surplus for the year after tax 11.9 2.2 10.4 10.7 5.4

Panel B: Balance Sheet Balance sheet (£ million) 2013 2012 2011 2010 2009 Housing properties at cost less depreciation

and grant 96.6 75.1 46.4 27.7 11.8 Other tangible fixed assets and investments 1.3 1.6 1.9 2.3 2.5 Net current assets/(liabilities) (0.8) (1.8) 1.6 (10.6) (7.6)

97.1 74.9 49.9 19.4 6.7 Loans due after one year (47.0) (37.0) (18.0) (5.0) (3.0) Other long-term liabilities (pensions) (7.2) (6.8) (3.1) 0.0 0.0 Net assets 42.9 31.1 28.8 14.4 3.7

Panel C: Cash Flow Statement Cash flow statement (£ million) 2013 2012 Net cash inflow from operating activities 16.3 9.9 Interest paid/received (1.5) (1.0) Capital expenditure Improvement works on properties (27.0) (33.1) Social housing and other grants 1.6 3.7 Purchase of other assets (0.3) (0.3) Sale of fixed assets 0.5 0.5 Subtotal (25.2) (29.2) Cash outflow before financing (10.4) (20.2) Loans advances received 10.0 19.0 (Decrease) in cash and cash equivalents (0.4) (1.2)

134 Implementing Enterprise Risk Management

against an equal increase in the purchase price of the stock paid to the borough council by RCT Homes. This transaction is not reflected in the financial statements in accordance with Financial Reporting Council (FRS) 5,7 reporting the substance of transactions over the legal form. The works contracted are to be carried out over an envisaged 15-year period and are being recognized as they are undertaken, in accordance with the accounting policy for major, cyclical, and responsive repairs. In the event RCT Homes does not complete the work specified, the development agreement may be terminated at no financial loss to RCT Homes.

At April 2013, it was envisaged that there will be a further £136 million of expenditure under the remaining nine years of the VAT shelter.

ASSOCIATION C: ABILITY HOUSING ASSOCIATION Ability Housing Association is a specialist association that provides housing and support services to disabled people living in the South of England. It works in part- nership with local authority housing, social services, and Supporting People teams, the Homes and Communities Agency, and mainstream housing associations to help deliver flexible and tailored housing and support for people who want to live more independently. The Ability Housing Association operates in London, Essex, Oxfordshire, Berkshire, Hampshire, Surrey, Dorset, and West Sussex. Its housing stock comprises mostly either wheelchair-standard housing or supported housing for people who need additional care or support.

The association was set up in 1999 when the Cheshire Foundation Housing Association changed its name and relaunched as Ability. At this point it had 285 homes under management, employed 47 staff, and had a turnover of £1.86 million. In 2003 the national Supporting People program began, and Ability entered into Supporting People contracts with 18 local authorities. In 2004 Ability set up its first mental health support services, in the London borough of Merton, and in 2004 Ability was rated as the second most efficient registered social landlord (RSL) in England. In 2007 it was selected to provide mental health support services in Surrey and new supported housing in Swindon. Over the next 10 years it grew steadily, and in 2009 the REAP resettlement agency transferred its activities to Ability. By 2012 Ability had over 550 homes under management, and had a turnover of £8.8 million. In 2012, for the second year running, Ability was recognized as one of the Sunday Times’ 100 Best Not-for-Profit Organisations to Work For.

In its corporate plan Ability states its values as follows:

Our pursuit of our visions is underpinned by the following values which permeate the whole organisation:

We focus on ability not disability

– We focus on what each person can do—on their ability—rather than what they can’t do. We work together with our customers to help them overcome barriers to their own personal independent living goals.

We engage actively for feedback

– We engage actively with our customers, colleagues, and partners to seek feed- back that helps us to understand how we can improve what we do and how we do it.


We value difference

– We respect and value the individuality of each person; we believe that differences are strengths and that diversity enriches our lives and communities.

We demonstrate integrity

– We encourage a culture of openness, honesty, and personal accountability; we respond to a challenge by asking ourselves what we can do to help and always deliver on our promises.

Ability provides the following services:

Housing with Support, to promote independent living, for example:

� Assistance with learning independent living skills � Advice and assistance with claiming welfare benefits and housing benefit � Advice and assistance with budgeting and managing bills � Advice on aids and adaptations � Assistance with reporting repairs and managing tenancies � General counseling and support with day-to-day living � Assistance with arranging personal care and contacting other agencies

involved in care and welfare

Most of the Housing with Support is provided in self-contained flats or bun- galows, although some of it is in shared housing or studio apartments with some shared facilities.

Floating Support, similar support to that just described but provided without housing. This service helps people with physical disabilities, learning disabilities, or mental health–related support needs to manage their homes.

The Accessahome database, to enable disabled people, housing associations, and local authorities to make better decisions about housing. Accessahome records details about accessible features of properties—for example, if a property has been purpose-built to a wheelchair standard, lifetime homes standard, or mobility stan- dard, or it has been specially adapted for a disabled person, for example, with a stair lift, level-access shower, or adapted kitchen. The database offers a matching service for both landlords and applicants and support information for disabled people, so that a landlord with an accessible or adapted property that is available for letting can search the database for applicants whose needs match the features of the property.

Perceived Risks

Extracts from 2012 Annual Report:

The removal of the Supporting People “ring-fence,”8 coupled with extreme fund- ing cuts faced by local authorities, has cast doubt on the future of many supported housing and social care services. At Ability we place faith in maintaining the qual- ity and value for money of services and being able to demonstrate positive out- comes for customers and commissioners.

136 Implementing Enterprise Risk Management

Exhibit 8.5 Financial Performance of Ability Housing Association

Panel A: Income and Expenditure Account Income and expenditure

account (£ million) 2012 2011 2010 2009 2008 Turnover 8.8 8.6 8.6 7.4 5.6 Operating costs and cost of sales (7.6) (7.4) (7.3) (6.5) (4.9) Operating surplus 1.2 1.2 1.3 0.9 0.7 Net interest charge (0.4) (0.2) (0.1) (0.1) (0.1) Surplus on disposal of assets 0.1 0.4 — — 0.1 Taxation — — — — — Surplus for the year after tax 0.9 1.4 1.2 0.8 0.7

Panel B: Balance Sheet Balance sheet (£ million) 2012 2011 2010 2009 2008 Housing properties at cost less

depreciation & grant 18.9 16.7 13.0 8.8 7.2 Other tangible fixed assets and

investments 1.1 1.1 1.1 0.5 0.5 Net current assets 0.8 0.2 0.8 0.4 0.3

20.7 20.0 14.9 9.7 8.0 Creditors due after more than

one year (9.9) (8.1) (6.6) (2.5) (1.6)

Other long-term liabilities — — — — — 10.8 9.9 8.3 7.2 6.4

We are pleased therefore to have been able to agree with local authorities in London Borough of Hillingdon and West Sussex extensions to some of our most valuable services. Sadly this has not always been the way and, following a competitive tendering exercise, some of our floating support services in Slough have been transferred to another provider. . . .

Again this year we have seen the loss of some of our supporting people contracts with others reducing in value. We expect further reductions in the years ahead. By winning new business through competitive tender processes we have been able to replace a part of the lost income.

The summarized financial statements of Ability Housing Association for the previous five years are presented in Exhibit 8.5.

ASSOCIATION D: GREENSQUARE Recently, locally based housing associations have been amalgamating together to form regional groups. Once the amalgamation has been accomplished, the groups often organize themselves on a product and activity basis, invest in innovative new products, develop vigorously, and continue to absorb further local associations.

GreenSquare Group Limited is typical of such a group, operating across Wiltshire, Oxfordshire, Gloucestershire, Swindon, and the surrounding areas. GreenSquare was originally formed in 2008 from two associations (Westlea


Housing Association and Oxford Citizens Housing Association). Another Oxford- based association, Oxbode, joined the GreenSquare Group in November 2012. GreenSquare now manages over 11,000 properties.

The strategy just described allows the reduction of administration costs and the development of product expertise. GreenSquare has the following:

� Development construction services provided by its in-house subsidiary Tidestone

� Property investment and maintenance of public open spaces undertaken by its commercial subsidiary Oakus

� Gas servicing and renewable energy business undertaken by a new acquisi- tion, GW Sparrow & Company Ltd., based in Swindon

GreenSquare Group now has the following key business streams:

� General needs housing for rent, primarily by families who are unable to rent or buy at open market rates

� Supported housing and housing for older people who need additional housing-related support or additional care

� Low-cost home ownership, primarily shared ownership whereby residents purchase a share in the equity of their homes and pay rent to the association on the remainder

� Building large volumes of new affordable housing and a lead develop- ment partner under the Homes and Communities Agency (HCA)’s National Affordable Housing Programme (NAHP)

� A newly registered housing association, GreenSquare Community Hous- ing Association, was set up in 2012. This will build houses financed by a £32 million sale-and-leaseback financing from Aviva, which will enable the Group to respond to new development opportunities as well as continuing to deliver its existing HCA program.

� The GreenSquare Academy has recently been set up to offer training and life skills development to residents, as many associations are becoming increas- ingly involved in education and vocational training.

Amalgamated organization structures carry a danger of reduced resi- dent involvement; GreenSquare therefore set up three communities boards in 2012/2013 to ensure that its services and how the neighborhoods are run are kept under close review. Last year £0.9 million was allocated to support community projects. GreenSquare also has a Resident Scrutiny Panel to carry out inspections and engage directly with residents.

Objectives and Strategy

GreenSquare’s mission is seen as “housing people, building communities.” The achievement of this is underpinned by four key vision statements:

1. Develop good quality housing to meet a wide and growing range of needs. 2. Create places where people want to live, and support a good quality of life.

138 Implementing Enterprise Risk Management

3. Provide the range and quality of services our customers want. 4. Grow our activities and improve our financial strength and sustainability.

The following list of key risks is drawn from the 2012/2013 GreenSquare Group Limited annual report:

Key Risks Comment

Current economic climate and impact on public sector funds and the housing market

The continued restraints on government spending, changes to the housing benefit rules, along with the wider economic downturn, have been identified as key risks to the group. Such changes are likely to impact on the group’s ability to deliver its planned development program and may also affect core activities.

Delivery of development program

Successful delivery of the program depends on continued support from the HCA for the Group, as well as the ability and willingness of development contractors to continue to build the Group’s schemes in a challenging economic environment.

Availability of finance Availability of loan finance is key to a thriving housing market, with potential impact on the Group’s ability to deliver its development program as well as difficulty for potential shared ownership purchasers to raise finance.

Low demand for housing properties developed for sale

The Group’s development program includes low-cost home ownership. Success depends on demand for the properties. Low demand in the housing market generally has an impact on low-cost home ownership schemes.

Rise in final salary pension scheme liabilities to unaffordable level

The Group could face significant liabilities for meeting pension fund deficits. The Group’s contributions to the fund may need to increase significantly in order to fund the scheme.

Change in government policy or new legislation

Such changes could have significant impact on the sector and therefore the operations of the Group (e.g., changes to the planning or tax regimes may increase costs of new developments, reducing scheme affordability).

Performance failure Performance failures in services to our customers would affect the Group’s rating with the HCA and its reputation in the sector. Failure to deliver its development program may result in a withdrawal of capital grant.

Loss of key staff Retention of quality staff and managers is key to successful delivery of the Group’s business plans.

Selected summarized financial statements of GreenSquare Group Limited from the previous five years are presented in Exhibit 8.6.9


Exhibit 8.6 Financial Performance of GreenSquare Group

Panel A: Income and Expenditure Account Income and expenditure account (£ million) 2013 2012 2011 2010 2009 Turnover 56.2 48.5 45.0 45.3 45.7 Operating costs and cost of sales (43.1) (37.2) (35.0) (35.0) (36.8) Operating surplus 13.1 11.3 10.0 10.3 8.9 Net interest charge (11.0) (9.5) (9.2) (8.4) (7.7) Surplus on disposal of assets 0.8 0.3 0.1 0.2 0.1 Other income (note 1) 10.5 Taxation 0.1 (0.3) (0.1) (0.02) (0.1) Surplus for the year after tax 13.5 1.8 0.8 2.1 1.0

Panel B: Balance Sheet Balance sheet (£ million) 2013 2012 2011 2010 2009 Housing properties at current valuation 545.2 384.5 350.6 343.2 301.5 Other tangible fixed assets and investments 6.3 6.2 5.7 5.7 5.7 Net current assets 20.3 3.3 (4.1) 4.3 6.9

571.8 394.0 352.2 353.2 314.1 Loans due after one year (281.6) (237.3) (211.3) (210.3) (194.1) Other long-term liabilities (6.7) (6.7) (5.1) (10.2) (4.6)

283.3 150.0 135.8 132.7 115.4

Panel C: Cash Flow Statement Cash flow statement (£ million) 2013 2012 2011 2010 2009 Net cash inflow from operating activities 20.9 20.1 20.1 20.1 20.1 Interest paid/received (10.7) (10.6) (10.6) (10.6) (10.6) Tax paid (0.1) (0.1) (0.1) (0.1) (0.1) Cash from acquisition of Oxbode 2.3 (0.9) (0.9) (0.9) (0.9) Capital expenditure House construction and purchase (29.2) (39.1) (39.1) (39.1) (39.1) Capital grants received 4.1 9.3 9.3 9.3 9.3 Purchase of other assets (1.1) (0.7) (0.7) (0.7) (0.7) Sale of fixed assets 1.7 1.0 1.0 1.0 1.0 Subtotal (24.5) (29.5) (29.5) (29.5) (29.5) Cash outflow before financing (12.1) (21.0) (21.0) (21.0) (21.0) Cash (invested in) term deposits (13.7) (2.2) (2.2) (2.2) (2.2) Financing Loans received 31.8 26.6 26.6 26.6 26.6 Loans repaid (1.0) (0.8) (0.8) (0.8) (0.8) Increase in cash and cash equivalents 5.0 2.6 2.6 2.6 2.6

Note 1: Gift on acquisition when Oxbode joined the Group in November 2012.

QUESTIONS You are asked to look at the four housing associations and choose one of them whose loca- tion most resembles your own home area, together with another association in a contrasting area. You are asked to address four questions for each of the two associations that you have chosen:

1. Given the fact that the association is a charity, with risks related both to its financial and charitable aims and any profits made being reinvested to support its charitable aims,

140 Implementing Enterprise Risk Management

what do you assess as the biggest risks facing the association and what is your assessment of these risks? Note that “for-profit” activities such as building houses for sale can also contribute to an association’s aims (e.g., to provide affordable housing within its chosen area of operation).

2. Considering the list of products in the “Background” section, how do you rate their potential risks and returns for the association, again in relation to its charitable aims and viability constraints and in the context of the association’s operating environment?

3. In the light of the association’s financial position and its charitable aims, how high should be the risk appetite of the association? Is one of the generic strategies listed in the “Sector Issues” section appropriate for the association, and if not then what should the associa- tion’s strategy be?

4. Can you suggest product growth targets and appropriate risk limits that will enable the association to develop safely and dynamically in the short/medium term?

The association data was drawn in 2013 from current real cases, and it may help you to investigate the “actual” cases and their contexts.

NOTES 1. The Decent Homes Standard is a technical standard for public housing introduced by

the United Kingdom government in April 2002. It underpinned the Decent Homes Pro- gramme brought in by the Labour party, which aimed to provide a minimum standard of housing conditions for all those who are housed in the public sector (i.e., council hous- ing and housing associations). The content of the standard is described in the House of Commons Library Research Paper 03/65 “Delivering the Decent Homes Standard: Social Landlords’ Opinions and Progress.”

2. For more detail, see sector-risk-profile-120611.pdf.

3. See section 5.3.5, “Defining Risk Criteria,” in ISO 31000:2009. 4. The quotes are from the L&Q 2013 financial statements; see

.uk/_assets/files/LQ0363_Financial-Statements-2013_LR.pdf. For more information about L&Q see

5. For more information on the RCT subsidiaries, please refer to:,, .uk/index.php,, and www.meadowprospect

6. A value-added tax (VAT) is a form of consumption tax. From the perspective of the buyer, it is a tax on the purchase price. From that of the seller, it is a tax only on the value added to a product, material, or service, from an accounting point of view, by this stage of its manufacture or distribution. The manufacturer remits to the government the dif- ference between these two amounts, and retains the rest for itself to offset the taxes it had previously paid on the inputs, see HM Revenue & Customs: Introduction to VAT,

7. FRS 5 addresses the problem of what is commonly referred to as off-balance-sheet financ- ing. One of the main aims of such arrangements is to finance a company’s assets and oper- ations in such a way that the finance is not shown as a liability in the company’s balance sheet. A further effect is that the assets being financed are excluded from the accounts, with the result that both the resources of the entity and its financing are understated. Source: Financial Reporting Council.

8. Ring-fencing occurs when a portion of a company’s assets or profits are financially sep- arated without necessarily being operated as a separate entity. This might be for regula- tory reasons, creating asset protection schemes with respect to financing arrangements, or segregating into separate income streams for taxation purposes. Ring-fencing guarantees


that funds allocated for a particular purpose will not be used for anything else. Source: Note: The removal of the Supporting People ring-fence allows local authorities to divert to other activities the money allocated to them for this program. The result has been severe cuts in the total Supporting People funding.

9. For GreenSquare’s financial statements, see: bbc772028GS.pdf and 12.pdf.

REFERENCES Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading

Research and Best Practices for Tomorrow’s Executives. Hoboken, NJ: John Wiley & Sons. Sector Risk Profile. 2012. Homes and Communities Agency, London, England. 120611.pdf.

ABOUT THE CONTRIBUTOR Following a mathematics degree at Cambridge University and six years’ KPMG strategy consultancy experience, John Hargreaves took up a series of financial positions, including periods as the Financial Controller of National Freight, a stint running Shell’s central financial and management accounting and planning sys- tems, and three years as the Finance Director of London Underground. Since 1991 John has specialized in risk management, initially as Corporate Finance Director of Barclays Bank, where he was responsible for introducing risk management systems following the previous United Kingdom depression.

In 1996 he became Managing Director of Hargreaves Risk and Strategy, which has clients in the housing, banking, oil, and transport sectors. The consultancy has implemented risk management systems in about 60 organizations. John is a leading expert on the quantification of risks. He has conducted research over a number of years on the risk profile of the UK social housing sector, initially through study of client risk maps but also through analysis of the risks that occurred in a sample of 41 companies. This knowledge was used in 2005 in the design of the sector’s highly successful risk-related regulatory system.

John is also an authority on the relationship between risk management and strategy, and for 15 years has run a course on strategic management for an MSc program at the London School of Economics.


Lessons from the Academy ERM Implementation in the University Setting

ANNE E. LUNDQUIST Western Michigan University

The tragedy at Virginia Tech, infrastructure devastation at colleges and uni-versities in the New Orleans area in the aftermath of Hurricane Katrina,the sexual abuse scandal at Penn State, the governance crisis at the Uni- versity of Virginia, American University expense-account abuse, and other high- profile university situations have created heightened awareness of the potentially destructive influence of risk and crisis for higher education administrators.1 The recent Risk Analysis Standard for Natural and Man-Made Hazards to Higher Educa- tion Institutions (American Society of Mechanical Engineers–Innovative Technolo- gies Institute 2010) notes that “resilience of our country’s higher education insti- tutions has become a pressing national priority” (p. vi). Colleges and universities are facing increased scrutiny from stakeholders regarding issues such as invest- ments and spending, privacy, conflicts of interest, information technology (IT) availability and security, fraud, research compliance, and transparency (Willson, Negoi, and Bhatnagar 2010). A statement from the review committee assembled to examine athletics controversies at Rutgers University is not unique to that situa- tion; the committee found that “the University operated with inadequate internal controls, insufficient inter-departmental and hierarchical communications, an uninformed board on some specific important issues, and limited presidential leadership” (Grasgreen 2013).

The situation at Penn State may be one of the clearest signals that risk man- agement (or lack thereof) has entered the university environment and is here to stay. In a statement regarding the report, Louis Freeh, chair of the independent investigation by his law firm, Freeh Sporkin & Sullivan, LLP, into the facts and circumstances of the actions of Pennsylvania State University, said the following:

In our investigation, we sought to clarify what occurred . . . and to examine the Uni- versity’s policies, procedures, compliance and internal controls relating to identi- fying and reporting sexual abuse of children. Specifically, we worked to identify any failures or gaps in the University’s control environment, compliance programs and culture which may have enabled these crimes against children to occur on the Penn State campus, and go undetected and unreported for at least these past 14 years.


144 Implementing Enterprise Risk Management

The chair of Penn State’s board of trustees summed it up succinctly after the release of the Freeh Report (Freeh and Sullivan 2012) regarding the university’s handling of the sexual abuse scandal: “We should have been risk managers in a more active way” (Stripling 2012).

The variety, type, and volume of risks affecting higher education are numer- ous, and the public is taking notice of how those risks are managed. Accreditation agencies are increasingly requiring that institutions of higher education (IHEs) demonstrate effective integrated planning and decision making, including using information gained from comprehensive risk management as a part of the gover- nance and management process.2 Credit rating agencies now demand evidence of comprehensive and integrated risk management plans to ensure a positive credit rating, including demonstration that the board of trustees is aware of, and involved in, risk management as a part of its decision making.3 Through its Colleges and Universities Compliance Project, the Internal Revenue Service (IRS) is considering how to hold IHEs responsible for board oversight of risk, investment decisions, and other risk management matters.4 The news media has a heightened focus on financial, governance, and ethical matters at IHEs, holding them accountable for poor decisions and thus negatively affecting IHE reputations. In response to this, many IHEs have implemented some form of enterprise risk management (ERM) program to help them identify and respond to risk.

THE HIGHER EDUCATION ENVIRONMENT Colleges and universities have often perceived themselves as substantially differ- ent and separate from other for-profit and not-for-profit entities, and the outside world has historically viewed and treated them as such. Colleges and universities have been viewed as ivory towers, secluded and separated from the corporate (and thus the federal regulatory and, often, legal) world. Higher education was largely a self-created, self-perpetuating, insular, isolated, and self-regulating environment. In this culture, higher education institutions were generally governed under the traditional, independent “silos of power and silence” management model, with the right hand in one administrative area or unit often unaware of the left hand’s mission, objectives, programs, practices, and contributions in another area.

John Nelson (2012), managing director for the Public Finance Group (Health- care, Higher Education, Not-for-Profits) for Moody’s Investors Service, observed that higher education culture is somewhat of a contradiction in that colleges and universities are often perceived as “liberal,” whereas organizationally they tend to be “conservative and inward-looking.”5 Citing recent examples at Penn State and Harvard, he noted that colleges and universities can be “victims of their own success”; a past positive reputation can prevent boards from asking critical ques- tions, and senior leadership from sharing troubling information with boards, and this can perpetuate a culture that isn’t self-reflective, thus increasing the likelihood for a systemic risk management or compliance failure. The Freeh Report (2012) is instructive regarding not only the Penn State situation, but the hands-off and rubber-stamp culture of university boards and senior leaders more broadly. The Freeh Report found that the Penn State board failed in its duty to make reason- able inquiry and to demand action from the president, and that the president, a senior vice president, and the general counsel did not perform their duties.


The report calls these inactions a “failure of governance,” noting that the “board did not have regular reporting procedures or committee structure to ensure dis- closure of major risks to the University” and that “Penn State’s ‘Tone at the Top’ for transparency, compliance, police reporting, and child protection was com- pletely wrong, as shown by the inaction and concealment on the part of its most senior leaders, and followed by those at the bottom of the University’s pyramid of power.”

In his text regarding organizational structures in higher education, How Col- leges Work, Birnbaum (1988) notes that, organizationally and culturally, colleges and universities differ in many ways from other organizations. He attributes this difference to several factors: the “dualistic” decision-making structure (comprised of faculty “shared governance” and administrative hierarchy); the lack of metrics to measure progress and assess accountability; and the lack of clarity and agree- ment within the academic organization on institutional goals (based, in part, on the often competing threefold mission of most academic organizations of teaching, research, and service). Because of these organizational differences, Birnbaum notes that the “processes, structures, and systems for accountability commonly used in business firms are not always sensible for [colleges and universities]” (p. 27).

While noting that colleges and universities are unique organizations, Birnbaum also observes that they have begun to adopt more general business prac- tices, concluding that “institutions have become more administratively centralized because of requirements to rationalize budget formats, implement procedures that will pass judicial tests of equitable treatment, and speak with a single voice to pow- erful external agencies” (p. 17).

This evolution to a more businesslike culture for IHEs has been evolving since the 1960s and has brought significant societal changes while seeing the federal gov- ernment, as well as state governments, begin to enact specific legislation affecting colleges and universities.6 The proliferation of various laws and regulations, cou- pled with the rise of aggressive consumerism toward the end of the 1990s, has led to an increased risk of private legal claims against institutions of higher education— and their administrators—as well as a proliferation of regulatory and compliance requirements. Higher education is now generally treated like other business enter- prises by judges, juries, and creative plaintiffs’ attorneys, as well as by administra- tive and law enforcement agencies, federal regulators—and the public.

Mitroff, Diamond, and Alpaslan (2006) point out that despite their core edu- cational mission, colleges and universities are really more like cities in terms of the number and variety of services they provide and the “businesses” they are in. They cite the University of Southern California (USC) as an example, noting that USC operates close to 20 different businesses, including food preparation, health care, and sporting events, and that each of these activities presents the university with different risks. Jean Chang (2012), former ERM director at Yale University, observed that IHEs are complicated businesses with millions of dollars at stake, but they don’t like to think of themselves as “enterprises.”

Organizational Type Impacts Institutional Culture

While Birnbaum (1988) notes that IHEs differ in important ways from other orga- nizational types, especially for-profit businesses, he also concludes that colleges

146 Implementing Enterprise Risk Management

and universities differ from each other in important ways. Birnbaum outlines five models of organizational functioning in higher education: collegial, bureaucratic, political, anarchical, and cybernetic. In Bush’s (2011) text on educational leader- ship, he groups educational leadership theories into six categories: formal, colle- gial, political, subjective, ambiguity, and cultural. In their discussion of organiza- tional structure, Bolman and Deal (2008) provide yet another method for analysis of organizational culture, identifying four distinctive “frames” from which people view their world and that provide a lens for understanding organizational culture: structural, human resources, political, and symbolic.

Each of these models can provide a conceptual framework by which to under- stand and evaluate the culture of a college or university. Understanding the orga- nizational type of a particular institution is imperative when considering issues such as the process by which goals are determined, the nature of the decision- making process, and the appropriate style of leadership to accomplish goals and implement initiatives. What works in one university organizational type may not be effective in another. The leadership style of senior administration may be oper- ating from one frame or model while the culture of the faculty may be operating from another, thus affecting policy and practice in positive or negative ways.

While not true across the board, for-profit organizations tend to operate from what Bush as well as Bolman and Deal refer to as the formal or structural models and Birnbaum terms bureaucratic. The structural frame represents a belief in ratio- nality. Some assumptions of the structural frame are that “suitable forms of coordi- nation and control ensure that diverse efforts of individuals and units mesh” and that “organizations work best when rationality prevails over personal agendas” (Bolman and Deal 2008, p. 47). Understanding this cultural and framing difference is important when considering the adoption and implementation of ERM in the university environment, and can help to explain why many university administra- tors and faculty are skeptical of the more corporate approach often taken in ERM implementation outside of higher education.

Bush observes that the collegial model has been adopted by most universities and is evidenced, in part, by the extensive committee system. Collegial institu- tions have an “emphasis on consensus, shared power, common commitments and aspirations, and leadership that emphasizes consultation and collective responsi- bilities” (Birnbaum, p. 86). Collegial models assume that professionals also have a right to share in the wider decision-making process (Bush 2011, p. 73). Bush points out that collegial models assume that members of an organization agree on orga- nizational goals, but that often various members within the institution have differ- ent ideas about the central purposes of the institution because most colleges and universities have vague, ambiguous goals. Birnbaum describes the collegium (or university environment) as having the following characteristics:

The right to participate in institutional affairs, membership in a congenial and sym- pathetic company of scholars in which friendships, good conversation, and mutual aid flourish, and the equal worth of knowledge in various fields that precludes preferential treatment of faculty in different disciplines. (p. 87)

ERM (or risk management and compliance initiatives in general) tend to be viewed as more corporate functions and to align with formal, structural, and bureaucratic aims, goal setting, planning, and decision making. The chart in Exhibit 9.1 outlines management practices and how they are viewed from the

E xh

ib it

9. 1

D is

ti nc

ti on

s be

tw ee

n St

ru ct

ur al

an d

C ol

le gi

al E

le m

en ts

of M

an ag

em en


E le

m en

ts of

M an

ag em

en t

Fo rm

al /S

tr u

ct u

ra l

C ol

le gi

al /H

u m

an R

es ou

rc es

B ol

m an

an d

D ea

l B

us h

In st

it ut

io na

l B

ir nb

au m

In st

it ut

io na

l B

ol m

an an

d D

ea l

B us

h B

ir nb

au m

L ev

el at

w hi

ch go

al s

ar e

d et

er m

in ed

In st

it ut

io na

l In

st it

ut io

na lt

hr ou

gh ag

re em

en ta

nd co

ns en

su s

Pr oc

es s

by w

hi ch

go al

s ar

e d

et er

m in


V er

ti ca

la nd

la te

ra l

pr oc

es se

s Se

tb y

le ad

er s

B as

ed on

or ga

ni za

ti on

al st

ru ct

ur e

an d

ro le


A gr

ee m

en t

A gr

ee m

en t

C on

se ns


R el

at io

ns hi

p be

tw ee

n go

al s

an d

d ec

is io


O rg

an iz

at io

ns ex

is tt

o ac

hi ev

e es

ta bl

is he

d go

al s

D ec

is io

ns ba

se d

on go

al s

C on

sc io

us at

te m

pt to

lin k

m ea

ns to

en d

s an

d re

so ur

ce s

to ob

je ct

iv es

Sh ar

ed se

ns e

of d

ir ec

ti on

an d

co m

m it

m en


D ec

is io

ns ba

se d

on go

al s

St ro

ng an

d co

he re

nt cu

lt ur

e an

d va

lu e

co ns

en su

s in

fo rm

s d

ec is

io ns

N at

ur e

of th

e d

ec is

io n

pr oc

es s

R at

io na

l; ru

le s,

po lic

ie s,

an d

st an

d ar

d op

er at

in g

pr oc

ed ur


R at

io na

l R

at io

na l;

co m

pl ia

nc e

w it

h ru

le s

an d

re gu

la ti

on s

E ga

lit ar

ia ni

sm ;

te am

s C

ol le

gi al

D el

ib er

at iv

e co

ns en

su s

N at

ur e

of st

ru ct

ur e

O rg

an iz

at io

ns in

cr ea

se ef

fi ci

en cy

an d

en ha

nc e

pe rf

or m

an ce

th ro

ug h

sp ec

ia liz

at io

n an

d d

iv is

io n

of la

bo r

O bj

ec ti

ve re

al it

y; hi

er ar

ch ic


D es

ig ne

d to

ac co

m pl

is h

la rg

e- sc

al e

ta sk

s by

sy st

em at

ic al

ly co

or d

in at

in g

th e

w or

k of

m an

y in

d iv

id ua


O rg

an iz

at io

ns ex

is t

to se

rv e

hu m

an ne

ed s;

m us

tb e

a go

od fi

tb et

w ee

n or

ga ni

za ti

on an

d pe

op le

L at

er al

C ol

le gi


St yl

e of

le ad

er sh

ip E

st ab

lis he

d au

th or

it y

L ea

d er

es ta

bl is

he s

go al

s an

d in

it ia

te s

po lic


L ea

d er

is co

nc er

ne d

w it

h pl

an ni

ng ,

d ir

ec ti

ng ,

or ga

ni za

ti on

, st

af fi

ng ,a

nd ev

al ua

ti ng

D oe

sn ’t

co nt

ro lo

r ov

er ly

st ru

ct ur

e; se

ns it

iv e

to bo

th ta

sk an

d pr

oc es

s; us

e of

te am


L ea

d er

se ek

s to

pr om

ot e

co ns

en su


L ea

d er

is “f

ir st

am on

g eq

ua ls

,” co

ns ul

ta ti

on an

d co

lle ct

iv e

re sp

on si

bi lit

ie s

∗ A d

ap te

d fr

om B

us h

(2 01

1) ,1

99 (F

ig ur

e 9.

1) .


148 Implementing Enterprise Risk Management

formal/structural and collegial/human resources models. As will become clear in the University of Washington ERM implementation case described in this chap- ter, the culture of higher education in general, and the institution-specific culture of the particular organization, cannot be ignored when adopting or implementing an ERM program, and may be the most important element when making ERM program, framework, and philosophy decisions.

Risks Affecting Higher Education

One way in which colleges and universities are becoming more like other organi- zations is the type and variety of risks affecting them. Risk and crisis in higher edu- cation may arise from a variety of sources: a failure of governance or leadership; a business or consortium relationship; an act of nature; a crisis related to student safety or welfare or that of other members of the community; a violation of federal, state, or local law; or a myriad of other factors. The University Risk Management and Insurance Association (URMIA 2007) cites several drivers that put increased pressure and risk on colleges and universities, including competition for faculty, students, and staff; increased accountability; external scrutiny from the govern- ment, the public, and governing boards; IT changes; competition in the market- place; and increased levels of litigation. A comprehensive, yet not exhaustive, list of risks affecting higher education is outlined in Exhibit 9.2. Risks unmitigated at the unit, department, or college level can quickly lead to high-profile institutional risk when attorneys, the media, and the public get involved. Helsloot and Jong (2006) observe that higher education has a unique risk as it relates to the genera- tion and sharing of its core task: “to gather, develop, and disseminate knowledge” (p. 154), noting that the “balance between the unfettered transfer of knowledge, on the one hand, and security, on the other, is a precarious one” (p. 155).

EMERGENCE OF ERM IN HIGHER EDUCATION In the corporate sector, interest in the integrated and more strategic concept of enterprise risk management (ERM) has grown significantly in the past 15 years (Arena, Arnaboldi, and Azzone 2010). Certain external factors affected the adop- tion and implementation of ERM practices in corporations, including significant business failures in the late 1980s that occurred as a result of high-risk financing strategies (URMIA 2007). Governments in several European countries took actions and imposed regulatory requirements regarding risk management earlier than was done in the United States, issuing new codes of practice and regulations such as the Cadbury Code (1992), the Hampel Report (1998), and the Turnbull Report (1999). In 2002, the Public Company Accounting Reform and Investor Protection Act (other- wise known as Sarbanes-Oxley, or SOX) was enacted in the United States. In 2007, the Securities and Exchange Commission (SEC) issued guidance placing greater emphasis on risk assessment and began to develop requirements for enterprise- wide evaluation of risk. In February 2010, the SEC imposed regulations requiring for-profit corporations to report in depth on how their organizations identify risk, set risk tolerances, and manage risk/reward trade-offs throughout the enterprise.

While widespread in the corporate sector, in large part due to regulatory com- pliance, ERM is fairly new in higher education. Gurevitz (2009) observes that


Exhibit 9.2 Risks Affecting Higher Education

Institutional Area Types of Risk

Boards of Trustees and Regents, President, Senior Administrators

Accreditation Board performance assessment CEO assessment and compensation Conflict of interest Executive succession plan Fiduciary responsibilities IRS and state law requirements Risk management role and responsibility

Business and Financial Affairs

Articulation agreements Bonds Budgets Business ventures Cash management Capital campaign Contracting and purchasing Credit rating Debt load/ratio Endowment Federal financial aid Fraud Gift/naming policies Insurance Investments Loans Outsourcing Transportation and travel Recruitment and admissions model

Compliance with Federal, State, and Local Laws, Statutes, Regulations, and Ordinances

Americans with Disabilities Act (ADA)/Section 504 Copyright and fair use Drug-Free Schools and Communities Act Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act of

1996 (HIPAA) Higher Education Opportunity Act IRS regulations Integrated Postsecondary Education Data System (IPEDS) Jeanne Clery Disclosure of Campus Security Policy and

Campus Crime Statistics Act (Clery Act) National Collegiate Athletic Association

(NCAA)/National Association of Intercollegiate Athletics (NAIA) regulations

Record retention and disposal Tax codes Whistle-blower policies

Campus Safety and Security

Emergency alert systems for natural disaster or other threat

Emergency planning and procedures Incident response


150 Implementing Enterprise Risk Management

Exhibit 9.2 (Continued)

Institutional Area Types of Risk

Campus Safety and Security (continued)

Infectious diseases Interaction with local, state, and federal authorities Minors on campus Terrorism Theft Violence on campus Weapons on campus Weather

Information Technology Business continuity Cyber liability Electronic records Information security Network integrity New technologies Privacy System capacity Web page accuracy

Academic Affairs Academic freedom Competition for faculty Faculty governance issues Grade tampering Grants Human subject, animal, and clinical research Intellectual property Internship programs Joint programs/partnerships Laboratory safety Online learning Plagiarism Quality of academic programs Student records Study abroad Tenure

Student Affairs Admission/retention Alcohol and drug use Clubs and organizations Conduct and disciplinary system Dismissal procedures Diversity issues Fraternities and sororities Hate crimes Hazing International student issues Psychological disabilities issues Sexual assault Student death Student protest Suicide


Exhibit 9.2 (Continued)

Institutional Area Types of Risk

Employment/Human Resources

Affirmative action Background checks Discrimination lawsuits Employment contracts Grievances Labor laws Performance evaluation Personnel matters Sexual harassment Termination procedures Unions Workplace safety

Physical Plant Building and renovation Fire Infrastructure damage Off-site programs Public-private partnerships Residence hall and apartment safety Theft

Other Alumni Athletics External relations Increased competition for students, faculty, and staff Increased external scrutiny from the public, government,

and media Medical schools, law schools Vendors

educational institutions “have been slower to look at ERM as an integrated busi- ness tool, as a way to help all the stakeholders—trustees, presidents, provosts, CFOs, department heads, and frontline supervisors—identify early warning signs of something that could jeopardize a school’s operations or reputation.” In 2000, the Higher Education Funding Council of England enacted legislation requir- ing all universities in England to implement risk management as a governance tool (Huber 2009). In Australia, the Tertiary Education Quality Standards Agency (TEQSA 2013) evaluates the performance of higher education providers against a set of threshold standards and makes decisions in relation to their performance in line with three regulatory principles, including understanding an institution’s level of risk.

In the United States, engaging in risk management efforts and programs for IHEs is not specifically required by accrediting agencies or the federal govern- ment. Perhaps because it is not required, ERM has not been a top focus for boards and senior administrators at IHEs. Tufano (2011) points out that risk management in the nonprofit realm, including higher education, is significantly less developed than in much of the corporate world and often still has a focus on avoidance of loss rather than setting strategic direction. Mitroff, Diamond, and Alpaslan’s (2006)

152 Implementing Enterprise Risk Management

survey assessing the state of crisis management in higher education revealed that colleges and universities were generally well prepared for certain crises, particu- larly fires, lawsuits, and crimes, in part because certain regulations impose require- ments. They were also well prepared for infrequently experienced but high-profile situations such as athletics scandals, perhaps based on their recent prominence in the media. However, they were least prepared for certain types of crises that were frequently experienced such as reputation and ethics issues, as well as other non- physical crises such as data loss and sabotage.7 A survey conducted by the Asso- ciation of Governing Boards of Universities and Colleges and United Educators (2009) found that, of 600 institutions completing the survey, less than half of the respondents “mostly agreed” that risk management was a priority at their insti- tution. Sixty percent stated that their institutions did not use a comprehensive, strategic risk assessment to identify major risks to mission success. Recent high- profile examples may be beginning to change that. The Freeh Report regarding Penn State determined that “the university’s lack of a robust risk-management sys- tem contributed to systemic failures in identifying threats to individuals and the university and created an environment where key administrators could ‘actively conceal’ troubling allegations from the board” (Stripling 2012).

ADOPTING AND IMPLEMENTING ERM IN COLLEGES AND UNIVERSITIES In 2001, PricewaterhouseCoopers and the National Association of College and University Business Officers (NACUBO) sponsored a think tank of higher educa- tion leaders to discuss the topic of ERM in higher education, likely in response to widespread discussion in the for-profit sector and in anticipation of potential reg- ulatory implications for higher education. The group included Janice Abraham, then president and chief executive officer of United Educators Insurance, as well as senior administrators from seven universities.8 The focus of their discussion was on the definition of risk; the risk drivers in higher education; implementa- tion of risk management programs to effectively assess, manage, and monitor risk; and how to proactively engage the campus community in a more informed dia- logue regarding ERM. Their conversation produced a white paper, “Developing a Strategy to Manage Enterprisewide Risk in Higher Education” (Cassidy et al. 2001). In 2007, NACUBO and the Association of Governing Boards of Universities and Colleges (AGB) published additional guidance in their white paper, “Meeting the Challenges of Enterprise Risk Management in Higher Education.” The Uni- versity Risk Management and Insurance Association (URMIA) also weighed in with its white paper, “ERM in Higher Education” (2007). In 2013, Janice Abraham wrote a text published by AGB and United Educators, entitled Risk Management: An Accountability Guide for University and College Boards. These documents provide guidance and information to institutions considering the implementation of an ERM program and discuss the unique aspects of the higher education environment when considering ERM implementation.

Several authors have discussed the transferability of the ERM model to higher education, even with the cultural and organizational differences that abound between the for-profit environment and higher education. URMIA (2007) con- cluded that “the ERM process is directly applicable to institutions of higher


education, just as it is to any other ‘enterprise’; there is nothing so unique to the col- lege or university setting as to make ERM irrelevant or impossible to implement” (p. 17). Whitfield (2003) assessed the “feasibility and transferability of a general framework to guide the holistic consideration of risk as a critical component of college and university strategic planning initiatives” (p. 78) and concluded that “the for-profit corporate sector’s enterprise-wide risk management framework is transferable to higher education institutions” (p. 79).

National conferences for higher education associations such as NACUBO, AGB, URMIA, and others had presentations on ERM. Insurers of higher educa- tion, such as United Educators and Aon, as well as consultants such as Accenture and Deloitte, among others, provided workshops to institutions and published white papers of their own, such as the Gallagher Group’s “Road to Implemen- tation: Enterprise Risk Management for Colleges and Universities” (2009). In the early 2000s, many IHEs rushed to form committees to examine ERM and hired risk officers in senior-level positions, following the for-profit model.9 However, when specific regulations such as those imposed by the SEC for for-profit entities did not emerge in the higher education sector, interest in highly developed ERM models at colleges and universities began to wane. Gurevitz (2009) points out that the early ERM frameworks weren’t written with higher education in mind and were often presented “in such a complicated format that it made it difficult to translate the concepts for many universities.”

Institutions with ERM programs have taken various paths in their selection of models and methods and have been innovative and individualized in their approaches. There is no comprehensive list of higher education institutions with ERM programs, and not all IHEs with integrated models use the term ERM. Exhibit 9.3 shows a snapshot of IHEs that have adopted ERM; a review of their websites demonstrates the various risk management approaches adopted by IHEs and the wide variability in terminology, reporting lines, structure, and focus. In many instances, those IHEs with highly developed programs today had some form of “sentinel event” (regulatory, compliance, student safety, financial, or other) that triggered the need for widespread investigation and, therefore, the develop- ment of more coordinated methods for compliance, information sharing, and deci- sion making. In other situations, governing board members brought their business experience with ERM to higher education, recognizing the “applicability and rel- evance of using a holistic approach to risk management in academic institutions” (Abraham 2013, p. 6).

Regardless of the impetus, the current focus appears to be on effectively link- ing risk management to strategic planning. Abraham points out that many higher education institutions are recognizing that an effective ERM program, with the full support of the governing board, “will increase a college, university or system’s likelihood of achieving its plans, increase transparency, and allow better allocation of scarce resources. Good risk management is good governance” (p. 5). Ken Barnds (2011), vice president at Augustana College, points out that “many strategic plan- ning processes, particularly in higher education, spent an insufficient amount of time thinking about threats and weaknesses.” Barnds believes that “an honest and thoughtful assessment of the college’s risks . . . would lead [Augustana] in a pos- itive, engaged, and proactive direction.” A recent Grant Thornton (2011) thought paper urges university leaders to think about more strategic issues as part of their risk management, including board governance, IRS scrutiny of board oversight

E xh

ib it

9. 3

Sa m

pl e

of C

ol le

ge s

an d

U ni

ve rs

it ie

s w

it h


M Pr

og ra

m s

In st

it u

ti on

T it

le of

P er

so n

w it

h E


R es

p on

si b

il it

y W

eb si


D uk

e U

ni ve

rs it

y E

xe cu

ti ve

D ir

ec to

r of

In te

rn al

A ud

it ht

tp :/

/ in

te rn

al au

d it

s. d

uk e.

ed u/

ri sk

-a ss

es sm

en t/

in d

ex .p

hp E

m or

y U

ni ve

rs it

y C

hi ef

A ud

it O

ff ic

er w

w w

.e m

or y.

ed u/



Y _R



/ st

or ie

s/ 20

10 /

04 /

19 /

ri sk

_ m

an ag

em en

t.h tm

l G

eo rg

ia St

at e

U ni

ve rs

it y

D ir

ec to

r, E

nt er

pr is

e R

is k

M an

ag em

en t

w w

w .g

su .e

d u/

ac co

un ti

ng /

63 37

0. ht

m l

Io w

a St

at e

U ni

ve rs

it y

A ss

oc ia

te V

ic e

Pr es

id en

tf or

B ud

ge ta

nd Pl

an ni

ng w

w w

.p ro

vo st

.ia st

at e.

ed u/

w ha

t- w

e- d

o/ er


Jo hn

so n

& W

al es

D ir

ec to

r of

C om

pl ia

nc e,

In te

rn al

A ud

it ,a

nd R

is k

M an

ag em

en t

w w

w .jw

u. ed

u/ co

nt en

t.a sp

x? id

= 57

82 5

M ar

ic op

a C

ou nt

y C

om m

un it

y C

ol le

ge D

is tr

ic t(



D )

D ir

ec to

r of

E nt

er pr

is e

R is

k M

an ag

em en

t w

w w

.m ar

ic op

a. ed

u/ pu

bl ic

st ew

ar d

sh ip

/ go

ve rn

an ce

/ ad

m in

re gs

/ au

xi lia

ry /

4_ 16

.p hp

O hi

o U

ni ve

rs it

y A

ss oc

ia te

V ic

e Pr

es id

en tf

or R

is k

M an

ag em

en ta

nd Sa

fe ty

w w

w .o

hi o.

ed u/

ri sk

an d

sa fe

ty /

ur m

i.h tm

T ex

as A

& M

U ni

ve rs

it y

Sy st

em O

ff ic

e of

R is

k M

an ag

em en

ta nd

B en

ef it

s A

d m

in is

tr at

io n

w w

w .ta

m us

.e d

u/ of

fi ce

s/ ri

sk /

ri sk

m an

ag e/

gu id

e/ en

te rp

ri se

-r is

k- m

an ag

em en

t/ U

ni ve

rs it

y of

A la

sk a

Sy st

em C

hi ef

R is

k O

ff ic

er w

w w

.a la

sk a.

ed u/

ri sk

sa fe

ty /

U ni

ve rs

it y

of C

al if

or ni

a R

is k

Se rv

ic es

,O ff

ic e

of th

e Pr

es id

en t

w w

w .u

co p.

ed u/

en te

rp ri

se -r

is k-

m an

ag em

en t/

U ni

ve rs

it y

of D

en ve

r D

ir ec

to r

of E

nt er

pr is

e R

is k

M an

ag em

en t

w w

w .d

u. ed

u/ in

te rn

al -a

ud it

/ in

te rn

al _a

ud it

/ fa

q. ht

m l

U ni

ve rs

it y

of Io

w a

Se ni

or V

ic e

Pr es

id en

to fF

in an

ce an

d O

pe ra

ti on

s an

d T

re as

ur er

w w

w .u

io w

a. ed

u/ ∼ fu

sr m

/ E

nt er

pr is

eR is

kM an

ag em

en t/

in d

ex .h

tm l

U ni

ve rs

it y

of M

ar yl

an d

V ic

e Pr

es id

en tf

or Pl

an ni

ng an

d A

cc ou

nt ab

ili ty

w w

w .u

m ar

yl an

d .e

d u/

ac co

un ta

bi lit

y- ol

d /

ri sk

-m an

ag em

en t/

U ni

ve rs

it y

of N

ot re

D am

e D

ir ec

to r

of R

is k

M an

ag em

en ta

nd Sa

fe ty

ht tp

:/ /

ri sk

m an

ag em

en t.n

d .e

d u/

ab ou


U ni

ve rs

it y

of V

er m

on t

Se ni

or St

ra te

gi st

fo r

E nt

er pr

is e

R is

k an

d Pl

an ni

ng ,O

ff ic

e of

th e

V ic

e Pr

es id

en tf

or Fi

na nc

e &

A d

m in

is tr

at io


w w

w .u

vm .e

d u/

∼ e rm


U ni

ve rs

it y

of M

ar yl

an d

V ic

e Pr

es id

en tf

or Pl

an ni

ng an

d A

cc ou

nt ab

ili ty

w w

w .u

m ar

yl an

d .e

d u/

ac co

un ta

bi lit

y- ol

d /

ri sk

-m an

ag em

en t/

U ni

ve rs

it y

of W

as hi

ng to

n R

is k

A na

ly st

ht tp

:/ /

f2 .w

as hi

ng to

n. ed

u/ fm

/ er


Y al

e U

ni ve

rs it

y D

ir ec

to r

of E


ht tp

:/ /

og c.

ya le

.e d

u/ ri

sk m

an ag

em en




practices, investment performance in university endowments, indirect cost rates in research, changes in employment practices, and outsourcing arrangements.

Regardless of terminology, there is an increased priority on taking a more enterprise-wide approach to risk management and moving from a compliance- driven approach to a comprehensive, strategic approach across and throughout the organization that is used to positively affect decision making and impact mis- sion success and the achievement of strategic goals. Tufano (2011) points out that even in the corporate environment, top leaders are not inclined to work through a detailed step-by-step risk management process, but rather take a top- level approach. In the university environment, this means asking three fundamen- tal questions: What is our mission? What is our strategy to achieve it? What risks might derail us from achieving our mission? Richard F. Wilson, president of Illinois Wesleyan University, may best summarize the current perspective of senior-level higher education administrators:

When I first started seeing the phrase “enterprise risk management” pop up in higher education literature, my reaction was one of skepticism. It seemed to me yet another idea of limited value that someone had created a label for, to make it seem more important than it really was. Although some of that skepticism remains, I find myself increasingly in sympathy with some of its basic tenets . . . [especially] the analysis that goes into decisions about the future. Most institutions are currently engaged in some kind of strategic planning effort driven, in part, by the need to protect their financial viability and vitality for the foreseeable future. . . . Bad plans and bad execution of good ideas can put an institution at risk fairly quickly in the current environment. Besides examining what we hope will happen if a particular plan is adopted, we should also devote time to the consequences if the plan does not work. I still cannot quite get comfortable incorporating enterprise risk man- agement into my daily vocabulary, but I have embraced the underlying principles. (Wilson 2013)

THE UNIVERSITY OF WASHINGTON: A JOURNEY OF DISCOVERY The University of Washington (UW) has a robust enterprise risk management (ERM) program that is moving into its seventh year. The program began with what administrators10 at UW call a “sentinel event,” settling a Medicare and Medicaid overbilling investigation by paying the largest fine by a university for a compliance failure—$35 million. This led the new president, Mark Emmert, to for- mally charge senior administrators in 2005 with the task of identifying best prac- tices for “managing regulatory affairs at the institutional level by using efficient and effective management techniques” (UW ERM Annual Report 2008, p. 4). At the outset in 2006, the objective for UW was to “create an excellent compliance model built on best practices, while protecting its decentralized, collaborative, and entrepreneurial culture” (Collaborative ERM Report 2006, p. vi). The ERM pro- cess at UW has been what Ann Anderson, associate vice president and controller, terms “a journey of discovery.” ERM has developed and evolved at UW, mov- ing from what UW administrators describe as an early compliance phase, through

156 Implementing Enterprise Risk Management

a governance phase to a mega-risk phase. Currently, the University of Washing- ton is focused on two objectives: (1) strengthening oversight of top risks, and (2) enhancing coordination and integration of ERM activities with decision-making processes at the university. This case study will describe the decision-making and implementation process at UW, as well as outline various tools and frameworks that UW adopted and adapted for use not only in the higher education setting in general, but to fit specifically within the university’s decentralized culture.

Institutional Profile

Founded in 1861, the University of Washington is a public university enrolling some 48,000 students and awarding approximately 10,000 degrees annually (see Exhibit 9.4). The institution also serves approximately 47,000 extension students. There are nearly 650 student athletes in UW’s 21 Division I men’s and women’s teams. There is a faculty/staff of over 40,000, making UW the third-largest employer in the state of Washington. The university is comprised of three cam- puses with 17 major schools and colleges and 13 registered operations abroad. It has a $5.3 billion annual budget, with $1.3 billion in externally funded research and $2.6 billion in clinical medical enterprise. UW has been the top public university in federal research funding every year since 1974 and has been among the top five universities, public and private, in federal funding since 1969. The university has an annual $9.0 billion economic impact on the state of Washington.

Culture at UW

When appointed to serve on the President’s Advisory Committee on ERM (PACERM) in 2007, Professor Daniel Luchtel commented, in the context of talking about risk assessments, that “the number of issues and their complexity is stun- ning. The analogy that comes to mind is trying to get a drink of water from a fire hose” (2007 ERM Annual Report, p. 4). As with most higher education institutions, especially research universities, along with the core business of the teaching and learning of undergraduate and graduate students, the faculty are focused on the creation of new knowledge. “The University of Washington is a decentralized yet collaborative entity with an energetic, entrepreneurial culture. The community members are committed to rigor, integrity, innovation, collegiality, inclusiveness, and connectedness” (Collaborative Enterprise Risk Management Final Report 2006, p. v).

Faculty innovation and the idea of compliance don’t always go hand in hand in higher education, and UW is no exception. Research associate professor David Lovell, vice-chair of the Faculty Senate in 2007–2008, expresses it well:

“Compliance” [is] not necessarily a good word for faculty members. . . . What lies behind [that] is the high value faculty accord to personal autonomy. . . . The notion of a culture of compliance sounds like yet another extension of impersonal, corpo- rate control, shrinking the arena of self-expression in favor of discipline and con- formity. . . . Over the last ten months, I’ve come to understand that you’re not here to get in our way, but to make it possible for us faculty legally to conduct the work we came here to do. . . . I hope that working together, we can try to spread such understanding further, so that we can make compliance—or whatever term you choose—less threatening to faculty and frustrating to staff. (Annual ERM Report 2008, pp. 6–7)




48,022 students were enrolled at the UW in the fall of 2009 STUDENTS











WOMEN 52.4%

MEN 47.6%

MEN 46%

MEN 44.2%







Exhibit 9.4 University of Washington Student Profile From University of Washington Fact Book:

Organizationally, the institution is divided into silos, which has historically focused risk mitigation within those silos.

Implementation History at UW

On April 22, 2005, President Mark Emmert sent an e-mail to the deans and cabinet members in which he said: “With the most recent example of compliance issues, we have again been reminded that we have not yet created the culture of compliance that we have discussed on many occasions.” He went on to say that “the creation of a culture of compliance needs to be driven by our core values and commitment to doing things the right way, to being the best at all we do. . . . We need to know

158 Implementing Enterprise Risk Management

that the manner in which we manage regulatory affairs is consistent with the best practices in existence.”

The Sentinel Event: Largest Fine at a Medical School The Collaborative Enterprise Risk Management Report for the University of Wash- ington (2006) began with the following: “Over the past few years, the UW has been confronted by a series of problems with institution-wide implications, includ- ing research compliance, financial stewardship, privacy matters, and protection of vulnerable populations” (p. v). The situation with the highest impact on the uni- versity began when Mark Erickson, a UW compliance officer, filed a complaint alleging fraud in the UW’s Medicare and Medicaid billing practices. The 1999 com- plaint prompted a criminal investigation, guilty pleas from two doctors, and a civil lawsuit resulting in the $35 million settlement, the largest settlement made by an academic medical center in the nation. The federal prosecutor claimed that “many people within the medical centers were aware of the billing problems” and that “despite this knowledge, the centers did not take adequate steps to cor- rect them” (Chan 2004). UW’s 2006 ERM Annual Report acknowledges that, in addition to the direct cost of the fines, there were also indirect costs in terms of additional resources for reviews of university procedures, increased rigor and fre- quency of audits, and an incalculable damage to the university’s reputation. The federal prosecutor acknowledged that UW’s efforts to reform its compliance pro- gram have been “outstanding” (Chan 2004). He further noted that since the law- suit was filed, the university “has radically restructured their compliance office. The government is very pleased with the efforts the UW is taking to take care of these errors.”

Leadership from the Top: President Outlines the Charge

At the time of the medical billing scandal, Lee L. Huntsman was president of UW. Huntsman had formerly been the acting provost, associate dean for scien- tific affairs at the school of medicine, and a professor of bioengineering. The UW Board of Regents had appointed Huntsman in a special session when Richard McCormick, the incumbent, accepted the presidency at Rutgers. Huntsman served for 18 months as president and continued as Special Assistant to the President and Provost for Administrative Transition until 2005 and as a senior adviser to the uni- versity for several more years. Mark A. Emmert, former chancellor of Louisiana State University and a UW alumnus, was appointed as the 30th president of UW and professor with tenure at the Evans School on June 14, 2004.

In April 2005, President Emmert charged V’Ella Warren, Vice President for Financial Management, and David Hodge, Dean of the College of Arts and Sciences, with conducting a preliminary review of best practices in compliance and enterprise risk management in corporate and higher education institutions. Warren engaged the Executive Director of Risk Management, Elizabeth Cherry, and the Executive Director of Internal Audit, Maureen Rhea, to conduct a literature search on enterprise risk management, particularly in higher education. Cherry and Rhea engaged Andrew Faris, risk management analyst, to assist, and the three spent nearly two years (from 2004 to 2006) conducting the literature search and finding out how risk management was functioning on other campuses. As they


conducted their research, they continued to report their findings to Vice President Warren. They also piloted the risk assessment process with various departments at UW.

Based on their findings and discussions with Vice President Warren, a draft report was compiled to provide initial guidance of the development of a UW- specific framework. The report provided an overview of various approaches to compliance, described best practices at four peer universities (University of Texas system, University of Minnesota, University of Pennsylvania, and Stanford Uni- versity), identified the common problems encountered in several recent compli- ance problems at UW, and offered suggestions for actions that UW might take in the effective management of compliance and risk. President Emmert then charged Warren and Hodge to cochair the recommended Strategic Risk Initiative Review Committee (SRIRC). The role of the SRIRC was to continue to investigate best prac- tices in university risk management and make recommendations about a structure and framework for compliance that would fit the UW culture. In a memo to the SRIRC regarding that review, Warren and Hodge noted that they had “developed a framework for university-wide risk and compliance management which builds on [UW]’s decentralized and collaborative character.” President Emmert also made it clear that the proposed model should be driven by UW’s core values as well as promote “effective use of people’s time and energy.” In a memo to the deans and cabinet members in 2005, President Emmert declared that UW did not “want or need another layer of bureaucracy.”

The SRIRC was comprised of broad university representation, including the Executive Vice President, the Associate Vice President for Medical Affairs, the Senior Assistant Attorney General, the Vice Provost-elect for Research, the Vice Provost for Planning and Budgeting, the Chancellor of the University of Washington–Tacoma, the Athletic Director, the Dean of the School of Public Health and Community Medicine, the Provost and Vice President for Academic Affairs, the Dean of the School of Nursing, the Special Assistant to the President for Exter- nal Affairs, the Vice President of Student Affairs, two faculty members, and two students. Meeting throughout the fall semester, the SRIRC reviewed the prelim- inary research material provided by Hodge and Warren and their team and dis- cussed a variety of issues, including the structure for risk management, how risk assessment has been and could be conducted, communication issues, methods for reporting risks, ways to report progress, and others. For each initiative, they asked the following three questions: Does this proposal add value? What obstacles are appar- ent and how can they be addressed? How could this proposal be improved?

In addition to formal meetings, Cherry, Rhea, and Faris conducted one-on-one meetings with the SRIRC members to gather more information about how they viewed implementation at the university. Because one of the recommenda- tions was the creation of a Compliance Council, meetings were also conducted throughout the campus with director-level personnel to survey their interests and suggestions regarding that aspect of the proposed model. Prior to the formal implementation of the ERM program, resources were also dedicated to create an infrastructure to sustain the recommended model. Faris’s role as risk manager was formally revised to create a full-time ERM analyst position within the Office of Financial Management in the Finance and Facilities division and a half-time ERM project manager position was created, filled by Kerry Kahl.

160 Implementing Enterprise Risk Management

Advisory Committee Recommendations: Create a Culture-Specific ERM Program

In February 2006, Hodge and Warren put forth to President Emmert a Collabora- tive Enterprise Risk Management Proposal developed by the SRIRC. The proposal recommended that “the UW adopt an integrated approach to managing risk and compliance, commonly called enterprise risk management (ERM).” They acknowl- edged that the proposed changes were not intended to “replace what already works across the university,” but rather to “augment the existing organization with thoughtful direction, collaboration, and communication on strategic risks” (Collab- orative ERM Final Report, February 13, 2006). At the outset, the SRIRC acknowl- edged that the structure and priorities of the ERM program would likely evolve and develop over time, but the members of the committee were confident that they had created a “strong, yet flexible framework within which to balance risk and opportunity” (February 14, 2006, memo to President Emmert).

While the report acknowledged the impetus for the creation of the ERM pro- gram (the $35 million compliance failure fine), it focused on the positive impact an ERM program could have for UW, beyond addressing compliance concerns. The report defined key terms and made recommendations based on three basic parameters: scope of the framework, organizational structure for the framework, and philosophy of the program. Each aspect was framed in the context of the liter- ature review and campus comparisons; UW-specific recommendations were put forth based on SRIRC discussion and analysis.

Scope of the Risk Framework

The report reviewed and discussed the various approaches taken by organizations in practicing risk management, from a basic practice of risk transfer through insur- ance to a more integrated institution-wide approach. It acknowledged that, prior to implementation, some key decisions would need to be made: Would the scope of the program be institution-wide or targeted at the school, college, or unit level? Would it include all risks (compliance, finances, operations, and strategy) or be focused on certain categories of risk? ERM was cited as “the most advanced point on the continuum,” a model that integrates risk into the organization’s strategic discussions. The report also summarized a Centralized Compliance Management approach. This model, rather than encompassing all risks, would focus primarily on legal and regulatory compliance. It was noted that “while both are university- wide approaches, they vary in a number of important aspects, including scope, objective, and benefits” (p. 6).

The report also summarized the ERM models at four IHEs, based on interviews with compliance and audit managers at those institutions. Noting that all four were institution-wide approaches, Pennsylvania and Texas were identified as having adopted a more corporate philosophy; Minnesota, a compliance approach with a centralized style; and Stanford, a collaborative ERM approach (see Exhibit 9.5). The report recommended developing a “collaborative, institution-wide risk manage- ment model” for UW, one that “ensures that UW creates an excellent compliance model based on best practices, while protecting its decentralized, collaborative, and entrepreneurial culture” (p. 28).






Washington Enterprise Risk Management

Centralized Compliance




Exhibit 9.5 UW’s Approach to Risk Management Compared to Other Institutions From University of Washington Collaborative Enterprise Risk Management Final Report, February 13, 2006.

Organizational Structure

Based on a review of the literature and discussions with risk and audit managers at other universities, the report also summarized various models and structures for organizing the risk management activities. One method was to appoint a cen- tral risk officer with institution-wide oversight and responsibility. With this model, key decisions would need to be made regarding reporting lines and the placement of that position within the organization. The report also outlined UW’s current approach to risk management, noting that it had moved beyond the insurance approach, “which is usually reactive and ad hoc,” but also observing that respon- sibility for specific risks was currently distributed among the institution’s orga- nizational silos (p. 15). It further noted that “the UW does not formally integrate risk and compliance into its strategic conversations at the university-wide level” (p. 15). While acknowledging the good progress being made in several areas (including UW Medicine, the newly restructured Department of Audits, and the Office of Risk Management), the report highlighted the weaknesses of the current approach, including the fact that “due to the size, decentralization, and complexity of the institution, a proliferation of compliance, audit, and risk management activ- ities has grown up around separate and distinct risk areas, each largely operating in a self-defined stovepipe” (p. 18).

Philosophy of the Program

The report also discussed the philosophy of a proposed risk management pro- gram, asking whether the preferred approach should focus on enforcing law and regulation—a compliance or control approach—or be one that “encouraged coop- eration between faculty and staff to develop flexible compliance approaches—a collaborative approach” (p. 2). After sharing the findings from the literature review

162 Implementing Enterprise Risk Management

and the institutional profiles of the peer institutions, the report outlined three guid- ing principles to shape the evolution of compliance and risk management at UW: (1) foster an institution-wide perspective, (2) ensure that regulatory management is consistent with best practices, and (3) protect UW’s decentralized, collaborative, entrepreneurial culture. In light of these principles, the report made the following eight recommendations, detailing the key elements and implementation sugges- tions for each:

1. Integrate key risks into the decision-making deliberations of senior leaders and Regents.

2. Create an integrated, institution-wide approach to compliance. 3. Ensure that good information is available for the campus community. 4. Create a safe way for interested parties to report problems. 5. Minimize surprises by identifying emerging compliance and risk issues. 6. Recommend solutions to appropriate decision makers. 7. Check progress on compliance and risk initiatives. 8. Maintain a strong audit team.

EVOLUTION OF ERM AT UW The SRIRC report acknowledged that the ERM concept was not new, but that it has not been fully implemented at many organizations, especially in higher education. The development of risk management within an organization was discussed, not- ing that the management of risk develops along a continuum, with early mod- els focused on hazard risks only and mitigation being accomplished primarily through the purchase of insurance. As risk models evolve at an organization, other risk types are added to the model and more cross-functional participation by other units begins to occur. Ultimately, strategic risks are added to the conversation and there is an integration of information from all units across the university. It is at this point that risk can be viewed as both an opportunity and a threat and where mitigation priorities can be more clearly linked to the strategic objectives of the organization.

In 2006, when the ERM program and model were proposed, UW viewed itself as being in the middle of the continuum (see Exhibit 9.6). The report noted:

Although many operational units, committees, and administrative bodies handled the risks faced in their own environments well, there is little cross-functional shar- ing of information. The opportunity aspect of risk is therefore not fully utilized by the University and risk mitigation priorities are not consistently driven by the institution’s strategic objectives. (p. 4)

The 2012 ERM Annual Report observes that “the ERM program has continued to evolve, developing structural mechanisms to support the 8 initial recommenda- tions” (p. 2).

Faris and Kahl commented that the first few years of implementation of ERM at UW were focused on risk assessments. They spent most of their time (both work- ing with the ERM committees and in their roles as ERM staff) performing risk


UW Evolution of ERM

Risk Categories

Strategic – Mega




Separate Partial Full Functions - - - - - Integration - - - - -

Degree of Cross - Functional Integration

What we have accomplished

Where UW’s program is headed

Exhibit 9.6 Evolution of ERM at the University of Washington From University of Washington 2009 ERM Annual Report, p. 4.

assessments using the risk mapping process (e.g., writing a risk statement, ranking the risks for likelihood and impact, plotting the risks on a 5 × 5 map). In the first four or five years, they conducted nearly 35 risk assessments across the univer- sity. Based on broad cross-functional topics identified by the President’s Advisory Committee on ERM (PACERM), the risk assessments were facilitated by Faris and Kahl with temporary teams put together to meet three to five times over the course of the year to write risk statements, rank them, and put together suggestions for mitigation.

The first five years of ERM at UW were “formative” and focused on the fol- lowing key activities:

� Developing a common language around risk � Conducting individual risk assessments � Focusing discussion and mitigation on financial and enrollment challenges � Comparing financial strength (as gauged by Moody’s Investors Service)

against peers � Drafting an initial compendium of enterprise-wide success metrics

Well-written, clear annual reports to the president, the Board of Regents, and the UW community helped to connect the dots and keep the strategic overar- ching goals front and center, even as employees at the unit level were continu- ously engaged in the more operational aspects of ERM. Exhibit 9.7 summarizes the implementation time line from the formalized inception of ERM at UW to the present. A review of the chart shows how the UW has continued to focus on mov- ing from an initial focus on hazard risk to a more integrated, strategic approach to enterprise risk management.

164 Implementing Enterprise Risk Management

Exhibit 9.7 University of Washington ERM Implementation Time Line

Academic Year Initiatives∗

2005–2006 President Emmert charged administrators with review of best practices and development of broad institutional compliance/risk framework for UW.

Warren and Hodge drafted report with overview of institution-wide approaches, best practices at four peer universities, common compliance problems faced by UW, and suggestions for next steps.

2006–2007 Developed a central focus and common language for evaluating risk across the university.

ERM structure formed (including PACERM, Compliance Council). First UW-wide risk map was compiled. Office of Risk Management dedicated one FTE to ERM initiative. Dedicated $4.8 million in funds for integrity/compliance/stewardship

initiatives, including animal care, student life counseling, human subjects, global activities, and IT security.

Information about ERM program included in reinsurance renewal discussions with international underwriters.

First Annual Report to the Board of Regents. 2007–2008 Identified key strategic and mega risks for the institution.

Expanded Compliance Council to form COFi. Rolled out Enterprise Risk Management Toolkit for units to do

self-assessments. UW Medicine and Department of Athletics presented annual reports on their

compliance programs and ongoing efforts to minimize risks and address current issues.

Continued development of the Institutional Risk Register. Internal Audit department expanded from nine to 15 staff.

2008–2009 Focused on financial crisis and demographics. PACERM formed two mega-risk subgroups to apply ERM processes at a

strategic level: extended financial crisis and faculty recruitment and retention.

HR advance planning for economic downturn and major reduction in state funding.

Office of Risk Management conducted first Employment Practices Liability Seminar.

ERM web pages were enhanced. Hired a new Executive Director for Audits. Second ERM Report to the Board of Regents.

2009–2010 Development of the UW Integrated Framework based on COSO model. PACERM focused discussion on how to remain competitive. Initial exploration of enterprise-wide dashboard of success metrics. Use of risk assessments in business case alternatives and research proposals.

2010–2011 PACERM evaluated the university’s academic personnel profile and oversaw major information technology projects.

Assessed institutional financial strength in comparison to peers (Moody’s). More than 200 ERM Toolkits provided to universities and companies.

2011–2012 Development of enterprise-wide dashboard of success metrics. UW’s work recognized as a “Best Practice” by the Association of Governing

Boards for Universities and Colleges (AGB).

∗All initiatives, including others not detailed in this chart, are outlined in more detail in the UW ERM Annual Reports, available at the website:


ERM STRUCTURE AT UW The organizational structure for ERM at UW arose out of the initial recommen- dations of the SRIRC. In its aggregate, the UW ERM program is comprised of the following areas, working together to create an effective structure: UW units; ERM staff; Compliance, Operations, and Finance Council (COFi Council); President’s Advisory Committee on ERM (PACERM); Internal Audit; and the UW President and Provost (see Exhibit 9.8).

UW Units

At the unit level, staff and faculty take ownership of the activities that give rise to risk. They conduct risk and opportunities identification and self-assessments. They develop strategies and take action to mitigate and monitor risk. They are encouraged to share a summary of their risk assessments with the Office of Risk Management.

ERM Program Staff

There are 1.5 full-time equivalent (FTE) ERM program staff located in the office of the associate vice president/controller for UW. This staff supports the work of the various committees and units, in part by establishing the ERM framework, stan- dards, and templates. They monitor and participate in risk assessments for the pur- pose of providing the enterprise view. They provide administrative support and

University President and Provost UW Environment (e.g., right side of cube)

President’s Advisory Committee on Enterprise Risk Management (PACERM)

Entity Level (e.g., top-down view of strategic risks,

mega risks, and opportunities)

Compliance, Operations, Finance Council (COFi)

Division or Function Level (e.g., middle up, cross-functional view of

compliance, operations, and financial risks)

Research Academic

Affairs Athletics

Health Care

Risk and Safety

Finance Information Technology

Human Resources

Eight functional areas of risk

Core Functions Support Services

Attorney General

Risk Management

Environmental Health & Safety

Unit Level (e.g., bottom-up view of risks and opportunities)

Examples of UW Units

Exhibit 9.8 University of Washington ERM Structure From University of Washington 2010 ERM Annual Report, p. 10.

166 Implementing Enterprise Risk Management

summary information and analyses to the ERM committees. They also provide professional development in a train-the-trainer format.

Compliance, Operations, and Finance Council (COFi)

The COFi Council, led by the Executive Director of Audits, takes a middle-up, cross-functional view of risks and opportunities, particularly items that have university-wide potential impact or where supervisory authority for various aspects of the risk reside in different departments or divisions across the univer- sity. The COFi Council has oversight of risk assessments at the division or func- tional level. It provides approval of methods to monitor risks and identifies topics for outreach, particularly items that have university-wide potential impact or that involve cross-departmental or divisional silos. The six primary goals of the COFi Council are to:

1. Engage in a continual, cross-functional process that results in effective prior- itization of institutional responses to compliance, financial, and operational risks, and consider the impact to strategic and reputational risks.

2. Ensure that the institutional perspective is always present in risk and com- pliance management discussions.

3. Identify strategies to address emerging risks and compliance management issues.

4. Support risk and compliance management training and outreach efforts throughout the university.

5. Provide external auditors and regulators with information about the uni- versity’s risk and compliance programs.

6. Avoid the creation of additional bureaucracy by minimizing redundancy and maximizing resources.

President’s Advisory Committee on ERM (PACERM)

PACERM, cochaired by the Provost and the Senior Vice President for Finance and Facilities, has oversight of risk assessments at the entity level. Taking a top-down view of risks and opportunities, PACERM advises the university president and other senior leaders on the management of risks and opportunities that may signif- icantly impact strategic goals and/or priorities. They review the ERM dashboard (e.g., key risk indicators and key performance indicators). According to V’Ella Warren and Ana Mari Cauce, cochairs of PACERM in 2008–2009, PACERM “is the one place where participants set aside their individual organizational perspectives, and really think about the major risks and opportunities from an institution-wide view” (2009 ERM Annual Report, p. 6).

Internal Audit

Internal Audit provides independent verification and testing of internal controls. The department also provides administrative support and summary information to the COFi Council.


UW President and Provost

The President and Provost play a key role in acknowledging, validating, and sup- porting the ERM program. They verbally refer to key documents such as the ERM framework, PACERM and COFi Council charters and assessments, and the ERM dashboard. They provide entity-level reporting to the Regents.

UW’S ERM MODEL After a careful review of models in the corporate sector and within higher educa- tion, UW settled on the following regarding its ERM model:

� Assess risks in the context of strategic objectives, and identify interrelation of risk factors across the institution, not only by function.

� Cover all types of risk: compliance, financial, operational, and strategic. � Foster a common awareness that allows individuals to focus attention on

risks with strategic impacts. � Enhance and strengthen UW’s culture of compliance while protecting the

decentralized, collaborative, entrepreneurial nature of the institution.

Adopting and Adapting the COSO Model

UW has defined ERM according to its interpretation of the Committee of Spon- soring Organizations (COSO) model, adapting the framework to fit the university environment and the UW in particular (see Exhibit 9.9). COSO describes ERM

University of Washington Enterprise Risk Management – Integrated Framework

Op era

tio ns

ERM Process

Risk Categories

Leadership, Culture, Values

Strategic Goals

Risk / Opportunity Identification

Risk / Opportunity Assessment

A lternatives

U nit Level

D ivision or Function Level

E ntity LevelResponse

Control Activities

Information & Communication

Monitoring & Measuring UW

En viro

nm en


Co mp

lia nc


Fin an

cia l

St rat

eg ic

Me ga

Exhibit 9.9 University of Washington’s ERM Integrated Framework From University of Washington Enterprise Risk Management Toolkit, p. 7. Copyright 2007, University of Washington.

168 Implementing Enterprise Risk Management

as “a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO 2004). Adopted in 2009–2010, the 2010 ERM Annual Report notes:

The UW ERM Integrated Framework offers a schema to integrate the views of risk that have historically been addressed in silos or through a fragmented approach. The ERM framework bridges the gap between lower-level issues and upper-level issues, and it allows us to be explicit about the multiple levels on which the ERM process is deployed as a risk and/or opportunity management mechanism. (p. 4)

Risk Categories The top of the cube identifies risk types, including compliance, operations, and financial risks. Strategic risks can impact the mission. Mega risks are major external events over which the institution has no control, but for which the institution can prepare.

UW Environment The right side of the cube views the organizational structure at three levels: entity, which entails all operations and programs; division or function, looking at a major risk in depth; and unit, where individual departments can use the tools to assess their risks. A fourth level of ERM used in the UW environment is to evaluate alternatives.

ERM Process The front of the cube outlines the traditional eight steps from the COSO model, including setting the tone and context for ERM at the top, identifying risks in con- junction with strategic goals, and through the complete cycle with implementation and follow-up.

The report notes:

UW’s “cube” integrates the several ERM facets into a whole, and enables ERM to be applied in a very intentional manner: Starting any new risk assessment requires identifying the appropriate level of the organization or environment at which the assessment will be made; focusing on which set of risks (compliance—strategic— mega risks) to cover; and applying all the steps in the ERM cycle to ensure a com- plete assessment and follow through.

The UW views ERM as integrating risk discussions into strategic deliberations and identifying the interrelation of risk factors across activities. Using the COSO model, its eight-step process involves the following (see Exhibit 9.10):

1. Leadership, culture, and values. Setting the tone at the top. 2. Strategic goals. At the entity or institutional level (top down), the division

or function level (risk topic across shared goals of VPs and deans—”middle up”), the unit level (such as a department, school, or college—bottom up), or the alternatives level (investment alternatives or business options).



Leadership, Culture and Values

Strategic Goals

Risk Identification

Risk Assessment



Monitoring and Measuring

Information and Communication

Exhibit 9.10 University of Washington ERM Process From University of Washington Enterprise Risk Management Toolkit, p. 8. Copyright 2007, the University of Washington.

3. Risk identification. In the appropriate context, name the harm, loss, or com- pliance violation to avoid, as well as the opportunities to be identified. This typically begins with listing broad risk activities or subject areas. Risks can be identified at the entity, division, functional, unit, or alternatives level. This process includes the use of risk statements and opportunity identification.

4. Risk assessment. In the appropriate context, analyze the risk or opportunity in terms of likelihood and impact (see Exhibit 9.11). Create a risk map, rank- ing or prioritizing risks to inform decisions regarding response. For oppor- tunities, rate the likelihood of occurrence on a scale of 1 to 5 (1 = rare, not expected to occur in the next five years; 5 = almost certain, expected to occur more than once per year). Also rank the positive impact, considering what impact the opportunity would have on the institution’s ability to achieve goals or objectives (1 = insignificant, with little or no impact on objectives and no impact to reputation and image; 5 = outstanding, could significantly enhance the capability to meet objectives and could significantly enhance reputation and image).

5. Response. Selecting the appropriate response involves comparing the cost of implementing the option against benefits derived from it. Responses include avoid, mitigate, transfer, or accept the risk. For opportunities, the response can be exploit, enhance, share, or ignore.

6. Controls. Document internal controls for top risks, and rank for effective- ness. For UW, internal controls are narrowly defined to describe the meth- ods used by staff or faculty that help ensure the achievement of goals and objectives, such as policies, procedures, training, and operational and phys- ical barriers.

170 Implementing Enterprise Risk Management



T Catastrophic

- 5 - Disastrous

- 4 - Serious

- 3 - Minor - 2 -

Insignificant - 1 -






Rare - 1 -






Unlikely - 2 -






Possible - 3 -






Likely - 4 -






Almost Certain - 5 -


Risk Level






Score Range

19.5 – 25

12.5 – 19.4

9.5 – 12.4

4.5 – 9.4

1 – 4.4

Exhibit 9.11 University of Washington Risk Assessment: Likelihood and Impact From University of Washington Enterprise Risk Management Toolkit, p. 17. Copyright 2007, the University of Washington.

7. Information and communication. Communicate with stakeholders and take action (the transition from analysis to action). Designate a risk owner for each of the top risks.

8. Monitoring and measuring. Monitor performance to confirm achievement of goals and objectives, and monitor risk to track activities that prevent achievement of goals and objectives.

Tools and Techniques

As its ERM program has developed and evolved, UW has learned from its expe- rience and is positioned to share information not only internally, but with oth- ers in higher education as well. The university has developed a comprehensive Enterprise Risk Management Toolkit, copyrighted in 2007, with the second edition released in 2010. The second edition includes an expanded section on the ERM pro- cess and has new material on evaluating opportunities. It is comprised of a manual and a set of spreadsheets that provides a framework for assessing and understand- ing institutional risks. The UW allows access to the Toolkit for UW staff, faculty, and students, federal agencies, Washington State agencies, and other institutions of higher education at no charge through the UW Center for Commercialization Express Licensing Program.

As is typical with most universities, the tools utilized by UW for conducting the risk assessment process are Microsoft Office products. Excel is used to catalog


risk assessment inventories and Word for report writing. While the administrators have explored many options for software to aid in the process (and to potentially provide outcomes such as dashboards), they find that, having been developed in the corporate for-profit environment, none of those options are particularly suited to capturing the needs of the higher education environment. They note, however, that at the unit level, many departments are investing in unit-specific software to aid in their data management. For example, the Finance and Budgeting Office is investigating software to run stress tests and financial simulations, and the Human Resources Office is examining payroll software. This allows the units to be able to more quickly evaluate risk specific to their areas, but UW finds that its ability to aggregate risks for examination at the entity level can be accomplished effectively with its low-tech process.

OUTCOMES AND LESSONS LEARNED UW administrators can chart the evolution of their ERM program and the effec- tiveness it has on the university. They note that the early wins were at the unit level, when specific departments, such as Information Security and Environmental Health and Safety, integrated the ERM process with their well-established strategic planning processes. Those units used the risk assessment tools to identify and rank risks that could hinder or prevent the achievement of their strategic goals. Integra- tion of ERM at the entity level is happening more slowly, but issues that impact everyone at the UW, such as faculty recruitment and retention or responding to the external financial crisis, now can happen in a more integrated fashion as the understanding of ERM evolves. For several years, due to severe budget reductions, the Office of Planning and Budgeting consciously added some questions about risk assessment into the budget request process. Vice presidents and deans were asked to address the impact of budget reductions in terms of risk. This happened, in part, because two key members of the Budget and Planning Office, as well as the Provost, have been involved with the PACERM.

UW administrators have a few other observations about their process and how and why it has worked. First, they note that they were aware from the outset that the environment at UW is highly decentralized and that appointing an “ERM czar” or chief risk officer (CRO) wouldn’t fit with the culture. They made a deliberate choice not to formalize ERM through a senior-level position, but rather to engage in implementation through a committee structure. Second, they involved faculty members from the beginning. This helped with a sense of shared purpose. Faculty members came to see the business side of academia, and staff and administrators better understood the point of view of scholars engaged in teaching and learning. Third, the senior leadership has stayed dedicated to the ERM process, even with transitions in the president and other senior administrators. The 2011 ERM Annual Report points out the benefits to the UW of the ERM approach:

The value of ERM is both qualitative (e.g., risk and opportunity maps) and quanti- tative (e.g., dashboards to contextualize and display metrics). Qualitative benefits accumulate because the risk mapping process allows groups throughout the Uni- versity to collectively prioritize issues, and ensure that the effort and resources involved in root cause analysis, measurement, and monitoring are applied only

172 Implementing Enterprise Risk Management

to the most significant concerns. Each iteration of the ERM process results in new capabilities, and insight gained into maintaining the University’s competitive advantage—particularly from managing our financial risks and strategic opportu- nities better than our peers. (p. 5)

UW has been strategic, deliberate, and inclusive as it continues on its journey to develop and enhance its ERM program, learning lessons from what works and adapting new strategies in order to improve or modify its program. ERM began at UW in 2006 “by establishing a collaborative approach and structure to consider broad perspectives in identifying and assessing risk” (2012 Annual Report, p. 3). This strategy has helped UW overcome some of the traditional challenges fac- ing universities when implementing ERM, including addressing concerns about the real effectiveness of risk assessment, getting agreement on definitions of risk assessment impact, identifying risk owners, and moving beyond the “risk discus- sion” to focus on mitigation (2012 Annual Report, p. 3). In her November 2012 pre- sentation on UW’s ERM program to the Pacific Northwest Enterprise Risk Forum, Ann Anderson, Associate VP and Controller, outlined the following seven key lessons that UW has learned by engaging in ERM for almost eight years:

1. Clarify the roles of the various risk committees. 2. Develop a “work plan” for the committees. 3. Develop engaging agendas, focused at the appropriate level. 4. Don’t overemphasize “lowest common denominator” risks. 5. Gather data/information to develop expertise on specific risks. 6. Avoid discussing low-level, narrow risks—too time-consuming! 7. Don’t get into the weeds with implementation and process. Delegate actions

to responsible parties.

WHAT NEXT?: CURRENT PRIORITIES AND FUTURE DIRECTION As the 2010 ERM Annual Report points out, the process of involving people in risk assessments, even with the most well-developed risk assessment tools, is only part of the process. “Successfully maintaining a large-scale organizational initia- tive such as ERM requires a comprehensive, broad based approach that is widely understood and used regularly to clearly articulate where risks and opportunities exist throughout the University” (p. 4). As ERM moves forward at UW, the focus is on a “greater refinement of institutional success metrics, increased assessments of risks identified, and continued expansion across the university to incorporate risk assessment into decision-making and strategic planning” (2012 Annual Report, p. 2). The objectives for 2013–2014 are: (1) strengthen oversight of the top risks and (2) enhance coordination and integration of ERM activities with decision-making processes. Several initiatives will help UW achieve these objectives, including seek- ing input and approval from the PACERM in order to elevate the monitoring of the top risks; a comparison of the institutional-level risks with unit-level risks; the development of quantitative visual representations of the risks, metrics, and tar- gets; engaging the community more broadly in risk management; integrating risk


management with the budget and planning cycle for the university; a retrospec- tive analysis of risks and mitigation investments; and a forward-looking analysis to highlight gaps and areas of concern. They are also in the process of developing specific deliverables and measures as indicators of success, such as executive-level risk registers, dashboards of key risks, and a foundation and structure to integrate risk maps and dashboards with the planning and budgeting cycle.

CONCLUSION UW’s ERM implementation process and lessons learned are consistent with the guidance offered by the National Association of College and University Attorneys (NACUA). In a 2010 conference presentation, NACUA identified the following eight critical success factors:

1. Establish the right vision and realistic plan. 2. Obtain senior leadership buy-in and direction. 3. Align with mission and strategic objectives. 4. Attack silos at the outset. 5. Set objectives and performance indicators. 6. Stay focused on results. 7. Communicate vision and key outcomes. 8. Develop a sustainable process versus a one-time project.

While complex and time-consuming, effective development of a culture- specific ERM program can have positive outcomes for colleges and universities. Institutions such as UW that view ERM as a long-term investment in institutional health, rather than a fad or simply a set of tools (such as spreadsheets and heat maps), position themselves well not only to respond to the external demands from credit ratings agencies, accreditors, and federal regulators, but to situate them- selves to make key strategic decisions, informed by both quantitative and qual- itative data, to enhance their organization, leading to increased enrollment and graduation and strategic disbursement of resources for teaching and research, as well as increasing the likelihood that, due to their integrated, proactive approach, they will avoid future compliance scandals. Perhaps the two most important deliv- erables on UW’s 2013–2014 agenda are those that demonstrate its awareness of the importance of the human resources component in its collegial environment: outreach to faculty and other administrators to obtain broader validation of risks and to identify additional mitigation activities, and an iterative process to involve senior leaders, the Provost, the President, and the Regents in monitoring the top risks. Through this process, UW is building a culture not only of compliance, but of shared responsibility for the future health of the university.

QUESTIONS 1. How does ERM adoption and implementation in the higher education environment

differ from the for-profit environment? 2. What type of culture is at the University of Washington? Why is culture important to

consider when implementing ERM?

174 Implementing Enterprise Risk Management

3. What were some of the key factors in the early stages of UW’s ERM adoption and imple- mentation that led to its current success within the organization?

4. Why did UW decide to adopt a committee structure to administer its ERM program rather than designate a senior level Chief Risk Officer?

5. Who are some of the key players involved in the decision-making about the ERM model and its current administration?

NOTES 1. Many colleges and universities were affected by Hurricane Katrina in the New Orleans

area (see the American Association of University Professors [AAUP] Special Commit- tee Report on Hurricane Katrina and New Orleans Universities at https://portfolio The independent report by Louis Freeh and his law firm, Freeh Sporkin & Sullivan, LLP, documents the facts and circumstances of the actions of Pennsylvania State University surrounding the child abuse committed by a former employee, Gerald A. Sandusky (available at freeh-report). The AAUP’s Committee on College and University Governance reported on breakdowns in governance at the University of Virginia as the board attempted to remove president Sullivan ( and-university-governance-university-virginia-governing-board). American Univer- sity trustees removed then president Ladner in 2005 after investigation of expense abuses of university funds ( 10-11-au-president_x.htm). The most tragic of these situations was, of course, the shoot- ings at Virginia Tech on April 16, 2007. On December 9, 2010, the U.S. Department of Education issued a final ruling that Virginia Tech had violated the Clery Act by fail- ing to issue a “timely warning” to students and other members of the campus commu- nity following the initial shootings early on the morning of April 16, 2007. In comment- ing on the verdict, Stetson Professor of Law Peter Lake stated, “Higher education is under the microscope now. The accountability level has definitely changed” (S. Lipka, “Jury Holds Virginia Tech Accountable for Students’ Deaths, Raising Expectations at Colleges,” Chronicle of Higher Education, March 14, 2010).

2. In order to disperse federal financial aid and grant degrees, institutions in the United States are accredited by one of several accrediting bodies. One example of the way in which accreditors are emphasizing risk management in their review is the Southern Association of Colleges and Schools Commission on Colleges (SACS COC) ( Standard 3.10.4: The institution demonstrates control over all of its physical and financial resources. The University of Virginia demonstrates evidence of this standard on its website by articulating the organizational structure and inte- grated policies and procedures related to internal and external audit, internal controls, fixed assets, procurement, facilities management, and risk management, among others (

3. The recent Special Comment by Moody’s, “Governance and Management: The Under- pinnings of University Credit Ratings,” declares that “governance and management assessments often account for a notch or more in the final rating outcome compared with the rating that would be indicated by purely quantitative ratio analysis” (Kedem 2010, p. 1). In Moody’s consideration of five broad factors that contribute to its eval- uation of governance and management, the report cites “oversight and disclosure processes that reduce risk and enhance operational effectiveness” (p. 2). The report further notes: “Effective internal controls and timely external disclosure about stu- dent outcomes, research productivity, financial performance, and organizational effi- ciency will become the hallmark of effective university leadership and will become


increasingly critical in mitigating new risks to individual universities and the sector overall” (p. 3).

4. One significant area of change has been the Internal Revenue Service’s increased over- sight of compliance issues affecting tax-exempt entities, including colleges and univer- sities. In 2008, under prompting by members of the U.S. Senate Finance Committee, the IRS developed a 33-page compliance questionnaire (IRS Form 14018) and sent it to a cross section of 400 institutions of higher education. The form focused on a number of potentially sensitive subjects, including the types and amounts of executive compen- sation, the investment and use of endowment funds, and the relationship between an institution’s exempt activities and other taxable business activities. The IRS also revised its Form 990, “Return of Organization Exempt from Income Tax,” beginning with the 2008 tax year. The purpose of the changes is to increase the transparency and account- ability of tax-exempt organizations and to ensure compliance with the Internal Revenue Code by requiring more detailed information in several categories. The changes focus not only on revenue, investment, and spending issues, but also on governance, conflicts of interest, and whistle-blower policies and procedures.

5. Based on a March 13, 2012, phone interview. 6. The Higher Education Act, up for renewal again in 2014, is a law almost 50 years old

that governs the nation’s student-aid programs and federal aid to colleges. It was signed into law in 1965 as part of President Johnson’s Great Society agenda of domestic pro- grams, and it has been reauthorized nine times since then, most recently in 2008. Addi- tional examples at the federal level include Section 504 of the Rehabilitation Act of 1973, the Americans with Disabilities Act (ADA) (1990), Family Educational Rights and Pri- vacy Act (FERPA) (1974, 1998, 2009), Health Insurance Portability and Accountability Act (HIPAA) (1996), Clery Act (1990), and Campus Sex Crimes Prevention Act (2000), among others. Lawsuits brought against institutions of higher education in which they and/or certain administrators at those institutions are accused of violating a particular federal law or a related legal right can lead to case decisions that impact that institution and perhaps others. Lawsuits can also have a significant impact even if they result in a settlement rather than a court decision. In May 2006, a group of 12 current and former deaf students at Utah State University sued the institution in U.S. District Court alleg- ing that it had violated the Rehabilitation Act and the ADA by failing to provide enough fully qualified interpreters. The lawsuit also named the Utah State Board of Regents as defendants. After negotiations, the lawsuit was settled in April 2007 with the univer- sity agreeing to hire qualified, full-time interpreters at a ratio of one translator for every two deaf students. The lawsuit, the issues it raised, and its ultimate resolution received significant media attention, as well as attention from various organizations around the country promoting the interests of students who are deaf or have hearing deficiencies.

7. Mitroff, Diamond, and Alpaslan (2006) note that “colleges and universities are in the very early stages of establishing their crisis management programs, and much remains to be done. The recent experience in New Orleans and elsewhere suggests that develop- ing and maintaining a well-functioning crisis management program is an operational imperative for college and university leaders” (p. 67).

8. One of those administrators was Elizabeth Cherry, Director of Risk Management, from the University of Washington (UW). As will be discussed in the case study, the UW was embroiled in several high-profile risk situations at the time and was undergoing the first of several presidential transitions.

9. See A. P. Liebenberg and R. E. Hoyt, “The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officers,” Risk Management and Insurance Review 6:1 (2003): 37–52. Their study uses a logistic model to examine the characteristics of firms that adopt ERM programs, most of which signal the fact that they have an ERM program through the hiring of a CRO.

176 Implementing Enterprise Risk Management

10. Many thanks to Andrew Faris, Enterprise Risk Management Analyst at the Uni- versity of Washington, and Kerry Kahl, ERM Project Manager at UW. They pro- vided information via an interview in April 2012 that is incorporated throughout this case study. Additional information for the case study comes from Annual Reports, memos, and other documents found on the University of Washington ERM website:

REFERENCES Abraham, Janice. 2013. Risk Management: An Accountability Guide for University and College

Boards. Washington, DC: Association of Governing Boards of Universities and Colleges and United Educators.

American Society of Mechanical Engineers–Innovative Technologies Institute, LLC. 2010. A Risk Analysis Standard for Natural and Man-Made Hazards to Higher Education Institutions. Washington, DC: American National Standards Institute.

Arena, M., M. Arnaboldi, and G. Azzone. 2010. “The Organizational Dynamics of Enterprise Risk Management.” Accounting, Organizations and Society 35:7, 659–675.

Association of Governing Boards of Universities and Colleges and United Educators. 2009. The State of Enterprise Risk Management at Colleges and Universities Today. Available at

Barnds, W. Kent. 2011. “The Risky Business of the Strategic Planning Process.” University Business. Available at planning-process.

Birnbaum, Robert. 1988. How Colleges Work: The Cybernetics of Academic Organization and Lead- ership. San Francisco: Jossey-Bass.

Bolman, Lee G., and Terrence E. Deal. 2008. Reframing Organizations: Artistry, Choice and Leadership. San Francisco: Jossey-Bass.

Bush, Tony. 2011. Theories of Educational Leadership and Management (4th ed.). London: Sage Publications.

Cassidy, D. L., L. L. Goldstein, S. L. Johnson, J. A. Mattie, and J. E. Morley Jr. 2001. “Devel- oping a Strategy to Manage Enterprisewide Risk in Higher Education.” National Asso- ciation of College and University Business Officers and PricewaterhouseCoopers. Avail- able at Higher_Educ_2003.pdf.

Chan, Sharon Pian. 2004. “UW Failed to Address Overbilling, Probe Finds.” Seattle Times, May 1, 2004. Available at uwmed01m.html.

Chang, Jean. 2012. Skype interview, March 2. Committee of Sponsoring Organizations of the Treadway Commission. 2004. Enterprise

Risk Management—Integrated Framework. Available at bumko/dosyalar/yayin-dokuman/COSOERM.pdf.

Committee of Sponsoring Organizations of the Treadway Commission. 2011. Internal Control—Integrated Framework. Available at _body_v6.pdf.

Freeh, Sporkin & Sullivan, LLP. 2012. “Report of the Special Investigative Counsel Regard- ing the Actions of the Pennsylvania State University to Related the Child Sexual Abuse Committed by Gerald A. Sandusky,” July 12. Available at freeh-report.

Gallagher Higher Education Practice. 2009. “Road to Implementation: Enterprise Risk Management for Colleges and Universities.” Arthur Gallagher & Co. Available at


Grant Thornton LLP. 2011. “Best-Practice Tips for Boards, Presidents and Chancel- lors Regarding Enterprise Risk Management.” OnCourse, January. Retrieved from On%20Course/On%20Course%20-%20Jan%2011%20-%20FINAL.pdf.

Grasgreen, Allie. 2013. “Report Shows How Rutgers Botched Handling of Former Coach, Reiterates 5-year-old Recommendations to Improve Athletics.” Inside Higher Education. Available at botched-handling-former-coach-reiterates-5-year-old.

Gurevitz, Susan. 2009. “Manageable Risk.” University Business. Available at

Helsloot, I., and W. Jong. 2006. “Risk Management in Higher Education and Research in the Netherlands.” Journal of Contingencies and Crisis Management 14:3.

Huber, C. 2009. “Risks and Risk-Based Regulation in Higher Education Institutions.” Ter- tiary Education and Management 15:2.

Kedem, K. 2010. “Special Comment: Governance and Management: The Underpinnings of University Credit Ratings.” Moody’s Investors Service, Report 128850.

Mitroff, I. I., M. A. Diamond, and M. C. Alpaslan. 2006. “How Prepared Are America’s Colleges and Universities for Major Crises?: Assessing the State of Crisis Management.” Change 38:1, 61–67.

National Association of College and University Business Officers and the Association of Governing Boards of Universities and Colleges. 2007. “Meeting the Challenges of Enter- prise Risk Management in Higher Education.” Available at erm/documents/agb_nacubo_hied.pdf.

Nelson, John. 2012. Phone interview, March 13. Stripling, Jack. 2012. “Penn State Trustees Were Blind to Risk, Just Like Many Boards.”

Chronicle of Higher Education, July 12. Available at State-Trustees-Were-Blind/132943/.

Tertiary Education Quality Standards Agency. 2013. Available at Tufano, Peter. 2011. “Managing Risk in Higher Education.” Forum Futures. Available at University Risk Management and Insurance Association. 2007. “ERM in Higher Education.”

Available at Whitfield, R. N. 2003. “Managing Institutional Risks: A Framework.” Doctoral dissertation.

Retrieved from ProQuest Dissertation and Theses database, AAT 3089860. Willson, C., R. Negoi, and A. Bhatnagar. 2010. “University Risk Management.” Internal Audi-

tor 67:4, 65–68. Wilson, Richard. 2013. “Managing Risk.” Inside Higher Education, May 20. Available at

ABOUT THE CONTRIBUTOR Anne E. Lundquist has had 20 years of increasing administrative responsibilities in higher education, having served as the dean of students at four liberal arts colleges. She received a BA in religious studies from Albion College and an MFA in creative writing from Western Michigan University. Currently, she is a PhD candidate in the Educational Leadership program at Western Michigan University with a con- centration in higher education administration, where she works with the vice pres- ident of student affairs on student affairs assessment and strategic planning and with the internal auditor and University Strategic Planning Committee on ERM implementation. Her dissertation research study is titled “Enterprise Risk Man- agement (ERM) in Colleges and Universities: Administration Processes Regarding

178 Implementing Enterprise Risk Management

the Adoption, Implementation and Integration of ERM.” Using her expertise in several areas, she has presented and been the author of articles on risk manage- ment, institutional liability, students with psychiatric disabilities, assessment and strategic planning, intercultural competence, and the development and implemen- tation of integrated community standards/restorative justice judicial models. She is the coauthor of The Student Affairs Handbook: Translating Legal Principles into Effec- tive Policies (LRP Publications, 2007). She has had three recent risk management publications in peer-reviewed journals: URMIA Journal (2011, 2012) and New Direc- tions for Higher Education, Special Issue, Disability and Higher Education (with Allan Shackelford, July 2011).

Special thanks to Andrew Faris, Enterprise Risk Management Analyst at the University of Washington, for sharing information about the university’s ERM pro- cess, answering questions, and providing material for the case study.


Developing Accountability in Risk Management The British Columbia Lottery Corporation Case Study

JACQUETTA C. M. GOY Director of Risk Management Services, Thompson Rivers University, Canada and Former Senior Manager, Risk Advisory Services, British Columbia Lottery Corporation

This case study describes how enterprise risk management (ERM) has devel-oped over the past 10 years at British Columbia Lottery Corporation (BCLC),a Canadian crown corporation offering lottery, casino, and online gam- bling. BCLC’s enterprise risk management program has been developed over time through a combination of internal experiential learning and the application of spe- cialist advice. The program’s success has been due to the dedication of a number of key individuals, the support of senior leadership, and the participation of BCLC employees.

The approach to ERM has evolved from informal conversations supported by an external assessment, through a period of high-level corporate focus supported by a dedicated group of champions using voting technology, to an embedded approach, where risk assessment is incorporated into both operational practice and planning for the future using a variety of approaches depending on the context.

BACKGROUND BCLC is a crown corporation operating in British Columbia (BC), Canada. The corporation was established by act of the British Columbia legislature in 1985. As a commercial crown corporation, BCLC is wholly owned by the province but operates at arm’s length from government, enjoying operational autonomy while reporting to the minister responsible for gaming, currently the Finance Minister. All profits generated by BCLC go directly to the provincial government. The initial remit of the corporation was to operate the lottery schemes previously administered for British Columbia by the Western Canada Lottery Corporation. In 1997, BCLC was given responsibility to conduct and manage slot machines, and in 1998 the corporation’s remit broadened again with additional responsibilities for


180 Implementing Enterprise Risk Management

table games in casinos. In 2004 an online service, PlayNow (, was launched.

BCLC has been a highly successful organization for over 28 years, delivering over $15.7 billion in net income to the province of British Columbia. Through April 2012 to March 2013 more than $1 billion in gambling proceeds helped fund health care, education, and community programs in British Columbia (BCLC Annual Ser- vice Plan Report 2012/2013). BCLC operates the provincial lottery and instant games and provides national lottery games through the Interprovincial Lottery Corporation. Across the province, BCLC manages 17 casinos (15 casinos plus two casinos at racetracks), 19 community gaming centers, and six bingo halls through a number of private-sector service providers. PlayNow, BCLC’s legal online gam- bling website, offers lottery, sports, bingo, slot, and table games, including online poker. BCLC employs about 850 corporate staff with more than 37,000 direct and indirect workers employed in British Columbia in gambling operations, govern- ment agencies, charities, and support services.

BCLC’s mandate is to “conduct and manage gambling in a socially responsi- ble manner for the benefit of British Columbians” with a vision that “gambling is widely embraced as exceptional entertainment through innovation in design, technology, social responsibility, and customer understanding.” The organization holds the following values as key to its success:

� Integrity: The games we offer and the ways we conduct business are fair, honest, and trustworthy.

� Social Responsibility: Everything we do is done with consideration of its impact on and for the people and communities of British Columbia.

� Respect: We value and respect our players, service providers, and each other.

BCLC believes that playing fairly is a serious responsibility and an empower- ing opportunity. A commitment to social, economic, and environmental respon- sibility is central to everything the organization undertakes, and is reflected in the BCLC slogan, “Playing it right.” BCLC strives to create outstanding gambling experiences with games evolving with the player’s idea of excitement. For BCLC, playing is not all about winning; it’s about entertainment.

THE BEGINNINGS OF THE RISK MANAGEMENT JOURNEY BCLC began its enterprise risk management journey in 2003 with the initiation of an Enterprise-wide Risk & Opportunity Management (EROM) initiative. The impetus for the initiative was twofold—the 2002 inclusion of risk management in the British Columbia Treasury Board’s Core Policy and Procedures Manual and BCLC’s head of Audit Services championing the need for enterprise risk manage- ment (ERM).

As a first step, an external consulting firm was contracted to undertake an enterprise-wide risk assessment and to support the Internal Audit team in devel- oping the skills and resources to manage the new ERM program. Interviews and facilitated workshops at management and executive levels were conducted, a risk


dictionary was constructed, and the highest risks were identified. The assessment focused on inherent risk compared with an evaluation of management effective- ness to produce a gap analysis, and there was also a discussion around risk toler- ance. A final report was produced (Deloitte and Touche 2003), and advice was also provided on potential next steps for the program.

Although the EROM initiative was well received, financial constraints put a hold on the subsequent business case. As a result, the plan to take the program forward through the appointment of a dedicated risk manager and funding for training of a number of risk champions was not implemented at that time.

LEARNING FROM THE FIRST ERM INITIATIVE The initial assessment provided a strong starting point for the BCLC ERM pro- gram, but even though the engagement was originally intended to be the first part of a longer-term initiative, there was insufficient impetus to put the pro- gram into operation in the face of competing priorities. This is not an unusual outcome, as although using a consultant to kick-start programs can leverage expe- rience and expertise that organizations may not otherwise have access to, using an external party contracted for a defined period of time can also lead to a project type approach, where the focus is more on getting the risk assessment com- pleted and less on longer-term implementation. In addition, it may be easier to source short-term consultancy fees than it is to obtain longer-term resourcing commitments.

Another issue can arise where consultants bring in defined methodologies that do not easily fit with the organization’s normal approach to decision making or where participants do not understand the underlying process, and so do not fully endorse and own the outcome. To overcome this issue, the consultants worked closely with the BCLC Internal Audit team with part of the stated purpose of the engagement being to build risk management expertise within BCLC.

RESTARTING THE PROGRAM–2006–2008 In early 2006, the head of Audit Services’ proposal to update the 2003 risk assess- ment was endorsed by BCLC’s executive team. Audit Services facilitated an assess- ment of critical strategic and operational risks facing BCLC, by developing a set of risks for analysis through consultation with the executive team, preparing an environmental scan, and concluding with a facilitated risk workshop to evaluate and prioritize each risk. The initiative was strongly informed by the successful ERM program being run at that time by another Canadian lottery organization, the Atlantic Lottery Corporation.

The intended outcome of the 2006 assessment was to inform the three-year-old audit plan, to develop new risk criteria, and to raise awareness about the impor- tance of risk management. The success of the exercise led to the development and acceptance of a business case in August 2006 to resource a part-time risk man- ager, responsible for putting into operation the risk management program. This approach was endorsed by the CEO as part of an organization-wide initiative to develop and embed a high-performance culture across BCLC.

182 Implementing Enterprise Risk Management

Board of Directors via Audit Committee


Executive Sponsor

ERM Advisory Team

Enterprise Risk Manager

Audit Services

Exhibit 10.1 2006 ERM Organizational Structure

Leadership for the initiative was assigned to an executive sponsor. In the first instance, this was the chief information officer.

A cross-functional leadership team model was also approved, to be known as the ERM Advisory Team, responsible for oversight and approval of recommenda- tions on behalf of the Executive Committee and consisting of the executive spon- sor and a small number of key directors from each BCLC division. Operational support was provided by Internal Audit. The organizational structure is shown in Exhibit 10.1.

It is not entirely clear why the 2006 risk assessment exercise led to support for an ongoing ERM program while the 2003 initiative did not. The head of Inter- nal Audit championed both initiatives, and the earlier risk assessment activity was well received. The consultants reporting in 2003 stated that “the culture in BCLC is proactive and is ideally suited to the EROM’s philosophy and benefits.” Executive response to both initiatives was largely positive. There does not appear to have been a so-called burning platform created in 2006; it was more a growing recogni- tion that the time was right to adopt a more formal approach to ERM. It may be that increasing recognition of the importance of managing risk across North America with the introduction of Sarbanes-Oxley requirements1 and publication of COSO’s ERM Integrated Framework in 2004 influenced senior management. Or it could be that the simple iterative approach adopted by the head of Internal Audit when he decided to update the 2003 risk assessment—”Start slow and at the top, get learn- ing and feedback, and then take down the ladder”—demystified the concept and increased engagement. Regardless, 2006 marked a new start for ERM, and the gen- esis of the current BCLC program.


KEY STEPS IN THE DEVELOPMENT OF THE ERM PROGRAM For the second risk assessment, a streamlined process was adopted. Rather than starting with the risk statements from the dictionary, each VP was simply asked to identify their top three strategic and operational risks, with the results analyzed, combined, and allocated into the 2006 categories.

The resulting 37 risks were brought to two executive-level workshops and, as with the 2003 assessment, voting technology was used for prioritization. Nine critical risks were identified and taken forward to be integrated into the audit plan. One key difference from the 2003 assessment was the development of BCLC-specific likelihood and consequence qualitative criteria. Of interest is the correlation between the two assessments, with only two critical risks identified in 2003 not appearing in the critical zone in 2006, and no new critical risks introduced.

With the appointment of a dedicated Enterprise Risk Manager and the support of an executive sponsor, the launch of a formal ERM program became possible. The senior auditor from the Internal Audit team moved to the new position, bringing continuity with previous ERM initiatives. Between August and December 2006, the focus was on developing the core risk documentation, including terms of reference for the new steering group, an ERM policy, a project charter, and an initial plan. The initial areas of focus were to:

� Develop and continuously refine a practical ERM framework to support the identification and management of risk.

� Continuously manage risks, limiting exposure to an acceptable level while maximizing business opportunities.

� Embed a risk awareness that is a key component of instilling a high- performance culture.

A key feature of the new approach to ERM was the formation of the ERM Advi- sory Committee (known as ERMAC). The concept of ERMAC was to create risk champions, high-performing senior leaders from each division whose role would be to influence, communicate, and educate management and staff within their busi- ness areas about the benefits of risk management.

By January 2007, the new committee was established and the ERM policies and plan were in place, with proposals to embed risk management into project planning, business cases, and strategic planning under discussion.

In May 2007 a critical report about BCLC was issued by the British Columbia Ombudsman following an investigation into BCLC’s prize payout processes (BC Ombudsman 2007). The investigation was triggered by a CBC Fifth Estate investigation2 in October 2006 on issues in Ontario associated with lottery retail- ers winning major prizes, with the concern being that similar issues could have occurred in British Columbia. Although no incidents of wrongdoing were discov- ered during the investigation, the report and a subsequent audit and recommen- dations published by Deloitte & Touche in October 2007 marked a critical point in BCLC’s transformation into a modern player-centric organization.

184 Implementing Enterprise Risk Management

For risk management, the Ombudsman’s review led to both a greater impe- tus and a broader focus for the program. BCLC had always considered integrity to be vital to the organization, but the fundamental goal of delivering revenue to government was often the dominant concern, and this was reflected in earlier risk assessments. With the advent of the Player First program,3 significant additional resources and oversight were now dedicated to security, compliance, and reputa- tion management, and this increased emphasis was reflected in the risk assessment conducted by the ERMAC team in April 2007.

The basis of the assessment was the risk statements completed by the Executive Committee in 2006, with new key risks facing BCLC added through consultation with key members of each of the business/support units and incorporated into an expanded risk dictionary. Once the new risk statement descriptions were agreed on, workshops were held to assess the risk ratings, and also to determine how effective were current arrangements for managing each risk. The 12 risks with the largest gaps identified between risk rating and management effectiveness were then selected for further profiling and control analysis.

Throughout 2007, the remaining enterprise risks were profiled in order to bet- ter identify the associated causes and controls. Two further enterprise risk assess- ments were facilitated in 2008, and a regular quarterly risk report produced from June 2008 forward provided details of both the development of the overall program and monitoring of individual risks.

Parallel to the enterprise risk assessment, a project risk assessment approach was developed and implemented, with a number of initiatives used to facilitate risk assessments, very similar to those conducted at an enterprise level. As with the enterprise risk assessments, the risk dictionary was used to support the devel- opment of potential risk statements, which were then voted on at a facilitated meeting of the core project team. Project risk assessments were piloted with four projects in 2007, and further developed with seven project risk assessments facilitated in 2008. Although the workshops were generally felt to be productive and beneficial, the volume of risks generated meant that on occasion it was not possible to assess all the risks presented.

In May 2008, the Enterprise Risk Manager was appointed director of Audit Services. Although risk assessments continued to be supported by the Internal Audit team, the further development of enterprise risk management was con- strained due to the lack of dedicated resources, as the ERM manager post was not immediately filled.

REVITALIZING THE ERM PROGRAM—2009–2010 In the fall of 2008 the position of Manager, Risk Planning and Mitigation was created and an experienced risk manager was recruited to the position in late December 2008. The original intention of the appointment was to increase focus on risk treatment strategies and business-unit-level risk management activities, with the expectation that Internal Audit would continue to develop and report on the enterprise risk management framework. In late January 2009, the director of Audit Services left BCLC and the manager of Risk Planning and Mitigation assumed responsibility for managing all aspects of the ERM program.


The new risk manager brought a more operational approach, and was able to build on the excellent foundations already established to develop a new ERM strategy and supporting plan designed to move the ERM program to the next stage of maturity.

Throughout 2009, BCLC transitioned from the previous approach, where a portfolio of enterprise risk statements was assessed at a corporate level by ERMAC members, to a specific risk register with risks evaluated and agreed on at a divi- sional level and significant risks then escalated to the enterprise register.

One of the first changes was to move from an assessment of inherent risk with a supplementary assessment as to whether the risk was thought to be managed effectively to the use of a residual risk assessment methodology that included a more formal assessment of the effectiveness of control mechanisms in place. The next enterprise risk assessment was conducted in March 2009, and moved from the ERMAC voting approach to assessments by individual risk owners, with the committee providing more of a quality assurance function. New risk criteria were also adopted. A significant outcome was that the majority of risks were rated at a lower impact/consequence level (18 out of 29 dropping at least one rating, and three falling from critical to low risk).

Between March and July 2009, a series of risk and controls assessments work- shops were held covering all divisions. The workshops brought together either functional teams or collections of specialists in thematic sessions (for example, marketing). Close to 300 managers and staff were involved. Each group attended two workshops; the first featured an educational component, brainstorming exercises, and process mapping with threats and vulnerabilities identification, while the follow-up session looked at a number of prioritized areas of risk in more detail, with a deep-dive assessment of risks and controls. The output of the workshops was the creation of divisional risk registers. Enterprise-level risks were then extracted from the divisional registers for an organization-wide view of all significant risks.

By September 2009, risk registers were established for all divisions. The new registers were more comprehensive than the previous risk documentation, with a greater focus on risk treatment and specific individuals identified as responsible for each risk treatment plan. The risk management policy was updated and new supporting guidance published.

Through 2009 and 2010, the risk management approach was further developed and embedded. In particular, the use of risk management in business case develop- ment and project management increased, while the new registers were updated on a quarterly basis. Regular quarterly reports on the risk management program were produced for discussion by the Executive Committee and at the Audit Committee.

In the summer of 2010, the risk management policy and guidelines were updated and a new risk management strategy was produced to reflect the newly published international standard on risk management, ISO 31000:2009, Risk Management—Principles and Guidelines. BCLC had previously been using the Australian risk management standard (AS/NZS 4360:2004), so the move to the new standard was a simple transition. At the same time, the government of British Columbia endorsed the new standard across all ministries, and subsequently used the approach for a number of provincially coordinated risk management activities (for example, planning for the 2010 Winter Olympics and preparing for a potential

186 Implementing Enterprise Risk Management

pandemic). The policy stated: “BCLC is committed to building increased aware- ness and a shared responsibility for risk management at all levels of the organiza- tion, and to facilitate the integration of the management and prioritization of risks into planning and operational activities.”

The terms of reference for the ERMAC were also updated (see Exhibit 10.2), reflecting the change in practice from a single central risk assessment to the more devolved approach now in place.

Exhibit 10.2 Terms of Reference for the Enterprise Risk Management Advisory Committee

January 2007–March 2010 March 2010–March 2011

C. Terms of Reference C. Terms of Reference

ERM Advisory Committee (“ERMAC”) ERM Advisory Committee (“ERMAC”)

The ERMAC is an operational committee promoted and supported by the Executive to oversee the risk management process of the BCLC. The ERMAC reports to the Executive Sponsor. The ERMAC will:

The ERM Advisory Committee is tasked by the Executive to support the implementation of risk management across BCLC. The committee will:

Approve a suitable risk management mandate, terms of reference, and policy for BCLC, for endorsement by the Executive

Approve and oversee the implementation of a flexible, adaptable Risk Management process of BCLC as a whole, on behalf of Executive

Recommend an appropriate risk appetite or level of exposure for BCLC to the Executive

Identify and quantify fundamental risks affecting BCLC, and ensure that arrangements are in place to manage those risks

At least annually, review fundamental risks and their controls and report to Executive

Inform the Audit Committee on risks and controls that should be included in the Audit needs assessment, ensuring the integration of Audit Services into risk management

Ensure that critical risks are adequately dealt with

Help embed a risk management culture into all major decisions, through risk education, high-level controls, and procedures

Consider major decisions affecting BCLC’s risk profile or exposure

Appraise, revise, and monitor the annual risk management program;

Review any changes to the Risk Management Policy prior to submission for approval by the Executive;

Consider and approve procedures and guidance to support the risk management policy and process;

Review the effectiveness of risk management processes used across BCLC;

Help embed a risk management culture across the organization;

Support the development of a risk management awareness and education program; and

Provide support for the Divisional Risk Representatives, through encouraging sharing experience and enabling frank discussion of any risk-related issues arising.

From time to time the committee may also focus on a particular area of risk.


STRENGTHENING THE PROGRAM—2010–2013 In 2010, it was agreed that Internal Audit should conduct a review of the risk management program with a view to “identify any gaps and areas for improve- ment to ensure that the fundamental building blocks are in place to deliver on the organization’s risk management needs effectively and efficiently.” Interviews were conducted with Enterprise Risk Management Advisory Committee members, the executive team, CEO, and board and Audit Committee members.

The review found that the ERM process was well established and documented, with strong levels of support from all levels of the organization and an increasingly risk-conscious culture. However, risk management was not yet fully embedded within all of the organization’s functions. There was some variance in perceptions of risk tolerance, and in general the program was stronger on reporting risks than it was at driving change, with significant amounts of informal risk-related discus- sions taking place outside of the program. Senior management also reported that too many risks were escalated to them, often at a level that was perceived to be too granular or operational.

In addition to the internal review, BCLC took part in a benchmarking exercise conducted by Ernst & Young together with seven other Canadian lottery and gam- ing organizations. The exercise consisted of a questionnaire completed by key risk personnel at each organization facilitated by telephone interviews conducted by the E&Y team.

The results (Ernst & Young 2010) showed that BCLC was in a similar position to many of the other gaming organizations in having a relatively young ERM pro- gram. In common with much of the gaming industry at the time, BCLC’s strongest area was risk assessment, while risk tracking and the ERM structure were rela- tively weak (see Exhibit 10.3). The exercise included a simple self-assessment of perceived ERM maturity, where BCLC assessed itself as having risk activities in

Culture and Communication





1 A B C D E F G H

Risk Tracking

Assessed ERM maturityPerceived ERM maturity


Risk Assessment

Action Plans

Link to Strategy

Level 3—In place: risk management activities are established, yet not consistently applied or fully understood by management and relevant employees in key functions/business areas.

Exhibit 10.3 ERM Maturity at BCLC in 2010 Extracted from Ernst & Young ERM Benchmarking Survey, 2010.

188 Implementing Enterprise Risk Management

place, but that risk management was not yet consistently applied and well under- stood by management and employees across the organization.

The results of the internal review and the E&Y assessment were presented to BCLC’s executive team in February 2011. A number of recommendations were pro- posed and adopted, including strengthening senior management ownership and accountability, realigning risk criteria to better match the BCLC’s tolerance for risk across organizational objectives, and broadening the focus of the program from largely operational to a more strategic level.

In April 2011, the risk management function moved to the Finance and Cor- porate Services division, with the CFO taking responsibility for executive leader- ship of the program. The risk criteria and evaluation matrix were updated and the risk review process strengthened, establishing regular review meetings for every division whereby each division’s senior management team reported to their vice president (VP) on their risks every quarter. Risk oversight was also reviewed, and in addition to strengthening processes at a divisional level, dedicated time at exec- utive meetings was scheduled to review the quarterly risk report prior to presen- tation to the Audit Committee. A key step in increasing accountability came from the formal assignment of each area of high risk to the appropriate VP, who would be responsible for reporting each risk in detail and providing a regular update on progress with the agreed treatment plans.

At this time, the ERM Advisory Committee was disbanded. While the commit- tee of risk champions had played a significant role in coordinating initial assess- ment activities and in increasing the understanding of risk management across the organization in the early years of the risk management program, it was now felt that as all directors were expected to be fully conversant with risk management and with the movement of risk identification, evaluation, and reporting into main- stream management, the group no longer added significant value.

A new Risk Management Planning Group reporting to the CFO was estab- lished to align and coordinate a number of risk and compliance activities, in par- ticular looking for synergies between the risk, business continuity, insurance, and antifraud programs. The intention of the group was to assist in the design of tools and approaches that deliver progress across the programs and also reduce man- agerial overload from potentially competing programs.

Over the next year, a series of risk reviews were undertaken with each divi- sion, with the aim to refresh the divisional registers and to make sure that each group reviewed both current and potential risks against both BCLC and divisional strategies. The format of the reviews varied across groups, dependent on divisional responsiveness and parallel activities. Several workshops were held with broader management teams, two were jointly coordinated with Internal Audit exercises, and one was externally facilitated. The review process further increased ownership and accountability by reinforcing the message that risk management and reporting are the responsibility of everyone throughout the organization.

In early 2012 BCLC invited an external consulting firm to look again at its ERM program, consider the progress made since the work in 2003, and make some recommendations as to next steps. In April 2012, the consultants delivered a presentation to the board on “Moving from a Risk Monitoring Organization to a Risk Intelligent Organization,” and facilitated a discussion on risk governance and oversight. It was agreed to move risk oversight from the Audit Committee to the


full board, to include more formal consideration of risk in the strategic planning process, and to continue to improve risk management processes, practices, and awareness.

In the winter of 2012 an opportunity arose to embed ERM into strategic plan- ning when an exercise to identify and assess strategic risks was undertaken. The aim of this exercise was to identify and prioritize a set of holistic enterprise-level longer-term risks in order to inform strategic planning alongside a program of opti- mization. An off-site workshop was led by the CEO and the executive team with additional input from a small group of directors known as the leadership team, and supported by risk, corporate strategy, and audit services. Facilitation was provided by an external party. During the workshop, political, regulatory, economic, com- petitive, technology, and social business environmental factors were considered, and after a lively and informed discussion 11 key strategic risks were identified and initial sponsors assigned.

Following the workshop, a series of meetings were held with the assigned VP leads and other relevant parties, facilitated by the Senior Manager, Risk Advi- sory to discuss each risk in greater detail and using a bow tie approach,4 identi- fying key causes, consequences, controls, and planned treatments. A formal report was developed, and a strategic risk register is now in place. Going forward, the strategic risks will be used to inform strategic planning and business optimization, while the shorter-term, more operationally focused risks continue to be reflected and addressed in business planning at an enterprise, divisional, and initiative level.

BUILDING THE RISK PROFILE One of the first steps often taken by many organizations in developing enter- prise risk management is to identify the risks that the organization faces, although ISO 31000 recommends that the risk framework is established prior to this step and that the context is established prior to risk identification. For BCLC’s first risk iden- tification exercise, the context was provided by the consultancy team in the form of a risk dictionary or universe. The idea behind the risk universe concept is that all potential risks can be identified and classified into definitive categories, which can then be used as a generic tool to identify risk within and across organizations in a consistent manner.

The universe used for the initial BCLC risk assessment contained 70 generic descriptions of risks, which were adapted after consultation to fit the BCLC environment more accurately. The resulting 2003 BCLC risk universe included 59 potential risks divided into external and internal categories with strategic, oper- ations, technology, financial, and organizational health subcategories, and can be seen in Exhibit 10.4. Each risk was given both a two- or three-word title and a short high-level description.

Some risk practitioners consider that the development and use of a risk uni- verse or defined classification system is essential in any enterprise risk manage- ment program (Society of Actuaries 2009, 2010). However, to be effective there must be clear rules to support consistent classification, and each set of risks must consist of like items that are relevant to management decision making.

190 Implementing Enterprise Risk Management

Exhibit 10.4 The 2003 BCLC Risk Universe

External Risks

Competitor Catastrophic Loss Financial Markets

Legal Regulatory Player Demands &


Economic, Political & Societal Change


Technological Innovation

Internal Risks

Strategic Environmental Scan External Relations Business Portfolio Performance


Mergers & Acquisitions Alignment Organizational Structure Business Model

Culture Governance Strategic Alliance

Operations Capacity Fraud Communication Extended Enterprise Vendor Management Health & Safety Change Management Environmental

Compliance Customer Satisfaction Brand Name Reputation Pricing Product Development Safeguarding of Assets Business Interruption

Supply Chain Product/Service Failure Knowledge

Management Project Planning Performance Gap Gaming Integrity

Organizational Health Technology Financial Recruitment Training & Development Employee Satisfaction

Access, Security, & Tech. Integrity

Information Availability Technology


Credit Market Liquidity

Ethics & Values Accountability & Responsibility Leadership

Retention, Recruitment, & Succession Planning

Budget & Planning Valuation

Capital Acquisition & Management

Financial & Management Reporting

One common issue is that the list of risk statements may contain a mix of risk events, root causes, and outcomes, leading to imprecision and confusion, which may make assessing the level of risk or determining appropriate treatment more difficult. Another issue is that risk statements may be expressed in very generic terms that may not easily apply to the organization in question, or may make con- tributors feel that the risk assessment exercise is academic and not directly related to their day-to-day experiences.

The 2003 BCCL risk dictionary exhibited both of these issues, as can be shown in Exhibit 10.5.


Exhibit 10.5 Analysis of Sample Statements from the 2003 BCLC Risk Dictionary

Example Statement Type Issue

Catastrophic loss risk—A major disaster threatens BCLC’s ability to sustain its operations and minimize financial losses.

Outcome The outcome could arise from a variety of different circumstances, making risk response problematic.

Governance risk—BCLC does not have the appropriate governance practices in place.

Cause It is unclear why practices might be a cause for concern, making assessing the level of risk difficult.

Health and safety risk—Failure to provide a safe working environment for its workers exposes the organization to compensation liabilities, loss of business reputation, and other costs.

Risk This is a clear problem and outcome statement but is expressed generically, which may mean that there is a poor fit to the organization.

The intention behind the development of the risk dictionary was to provide common categorizations for specific risks identified across BCLC, and it was used effectively at a business unit level both to stimulate conversation and to identify specific risks, which were then translated to draft risk registers. At the enterprise level, the high-level statements were used for evaluation, and specific risk state- ments were not created.

The BCLC risk dictionary was reviewed, updated, and expanded in 2007 fol- lowing the risk assessment exercise conducted by the Enterprise Risk Manager and the ERMAC team. One hundred and nine risk statements were captured in the cat- egories of external, process, strategic, information, human capital, integrity, tech- nical, and financial.

Through 2007 and 2008, the risk dictionary was used as the basis for assess- ments at an enterprise level, and the prioritized enterprise risks were then used to structure project risk assessments and also increasingly to support risk assess- ments in business cases.

In late 2008, as part of the ongoing development of corporate performance management, BCLC completed an exercise to implement the balanced scorecard methodology. This approach greatly assisted the risk management program in tak- ing a fresh look into the corporate risk profile, and all of the risks were aligned to the new balanced goals. As a result, the risk dictionary was retired, with new guidance issued in 2009 recommending that all risk assessments start not from a predetermined list, but instead by looking at the objectives of the enterprise and, where relevant, the specific initiative.

The BCLC risk register generally includes around 100 risks across the nine divi- sions. As spreadsheets are currently used to manage the risk information, a deci- sion was made to remove green (low) risks where it is determined that the risk level is stable and provided that there are sufficient monitoring processes embedded

192 Implementing Enterprise Risk Management

into mainstream management. Each quarter, a small number of new risks are iden- tified and an equally small number are retired as circumstances change, awareness increases, and treatment plans come to fruition.

BCLC pays particular emphasis to the construction of clear descriptions for each risk, with the following guidance provided to all employees:

It is of particular importance that all risks are clearly expressed. BCLC has adopted a “CCC” approach where all risk statements should include not only the poten- tial change but also the most significant consequence and cause. Risk statements should start with wording equivalent to “The risk of/that” or “The opportunity to” and be expressed as a possibility (using “may” or “might”). Descriptions should be limited in length and specialized jargon or acronyms should be avoided where possible, so that anyone reading the risk statement can easily understand the risk. Care should be taken in order to avoid alarmist language. When recording partic- ularly sensitive risks, advice should be sought from either Risk Advisory Services or the Legal Services team.

—BCLC Risk Management Guidelines, 2013

On a regular basis, the Enterprise Risk Manager assesses the full set of risks and develops thematic risk maps, cascading from organizational goals and relat- ing to key corporate strategies (the template schematic is shown in Exhibit 10.6). These maps have been used as a key input to risk review workshops and are incorporated into quarterly reporting processes. The advantage to this fluid approach is that the maps are easily modified as organizational focus has evolved; however, at present production is reliant on the insight and capacity of the Enterprise Risk Manager. BCLC is currently exploring purchasing a specialist ERM
















Exhibit 10.6 Thematic Risk Map Schematic


software support solution to more efficiently manage the program. Automated risk interdependency mapping is a function that the administrators hope to be able to purchase.


BCLC’s risk management program would not have been possible without the two risk managers, the ERMAC group and its champions, and the initial drive from the head of Internal Audit to implement ERM. Although most risk managers will state that the most important prerequisite for a successful risk management program is active endorsement by senior management, the provision of operational manage- rial resources is also essential. At BCLC, as with most organizations, the greatest progress has been made when there has been a designated risk manager assigned to the ERM program.

The role of the central risk function at BCLC, Risk Advisory Services, has not been to manage any specific risks, but rather to provide expert facilitation, coordi- nation, and advice to management. The accountability for individual risks remains with the manager responsible for the program where the risk originates.

The two managers who have supported the ERM program came from very different backgrounds and brought different approaches to the program. Initially the program was initiated within Internal Audit and the first risk manager brought both extensive internal audit experience and, as an internal appointment, an under- standing of BCLC’s culture and approach. The second risk manager came with a more operationally focused risk management background and from a very differ- ent sector. Enterprise risk management is a developing discipline, and practition- ers come from a wide variety of backgrounds (including finance, audit, health and safety, quality assurance, engineering, insurance, etc.), each with their own slightly different approach. Where risk management programs are supported by a single individual, change in personnel can be an opportunity to revitalize programs but also has the potential for discontinuity.

During the initial establishment of the program in 2007–2008, the active engagement of the ERMAC group of risk champions supported adoption of risk management across BCLC, bringing their knowledge and enthusiasm to both the enterprise risk assessments and the development of the program as a whole.

Risk champions are frequently advocated as a way to embed risk management into functional areas through their existing personal and professional relation- ships, and also as a group with diverse backgrounds and operational experience to assist with articulating a more holistic enterprise-level view of risk. However, there are some issues with the concept:

� Those selected may be the usual suspects—individuals who are chosen for every initiative either because they are felt to be particularly capable, in which case they may be overly stretched, or conversely because they are underutilized at present, leading to the possibility that they may not have the required influence to be effective.

194 Implementing Enterprise Risk Management

� There may be a perception that the champion is responsible for risks in his or her division or functional area, even though other individuals hold the appropriate managerial or oversight role. This issue may lead to risks being identified but not effectively managed with formal treatment plans, and potentially to difficulties with monitoring and follow-up. Over time, champions may feel that they are put in a difficult position, or may become frustrated that their concerns are not taken forward and acted upon.

During the establishment of the ERM program, the role of the champions on the ERM Advisory Committee was clear, but as the program progressed, and in particular following the changes in 2009, the mandate became less clear and mem- bers began to feel a degree of frustration. The 2010 Internal Audit ERM review picked up on these concerns, and a new model was proposed that led to the dis- banding of the committee in 2011.

The new model recognized the high level of engagement of senior manage- ment across BCLC and the more dynamic role of the Executive and the board, and also picked up on the developing concept of linking governance, risk, and compliance (GRC) matters into an integrated approach. The previous mandates of both ERMAC and a compliance committee that BCLC had established in early 2010 were brought together into the new Risk Management Planning Group (see Exhibit 10.7). This group consists of the leads from key BCLC programs, such as business planning, portfolio management, business continuity, enterprise architec- ture, internal audit, and policy management, with the primary role to share knowl- edge and improve coordination across the functions.

Early accomplishments for the group included the development and adoption of a shared lexicon of key risk management terms, and a jointly developed compli- ance management proposal and business case. Currently, the group is focused on developing a broad-based GRC-type dashboard, which will bring together infor- mation about the status of risks, audits, policies, regulations, performance indica- tors, incidents, and issues at a divisional level.

Project Steering Group Meetings

Board of Directors

Risk Management Planning Group

Project Management


Internal Audit

Support the Risk Management Program

Review Risks and Treatment Plans

Undertake Risk Management Activity

Divisional Risk Review Meetings

Divisional Management

Provides advice and verification

Oversees the program and leads risk reviews

Determines strategy

Executive Monitors significant risks, treatment plans, and compliance issues









Exhibit 10.7 ERM Governance Structure, 2012–2013


DEVELOPING A MORE SOPHISTICATED APPROACH TO RISK ANALYSIS AND EVALUATION According to ISO 31000, an essential part of developing any risk management framework is defining the criteria for evaluating risk. Risk criteria are used to reduce subjectivity and to communicate risk tolerance, and should lead to con- sistency across different assessments. In common with many nonfinancial organi- zations, BCLC uses risk tables with qualitative descriptions of a variety of potential impacts.

Over the past 10 years, a variety of risk tables and evaluation approaches have been adopted.

When BCLC conducted its initial enterprise risk management exercise in 2003, generic consequence and likelihood and management effectiveness scales with a 1 to 5 range were provided to BCLC by the consultants. The impact ratings focused on monetary and service provision consequences, while the likelihood ratings con- sidered the chance of occurrence over the next three years.

For this initiative, risk workshops were used for the majority of risk analysis, with risk statements either predetermined or defined in advance using interviews with key internal stakeholders and then voted on by the Executive Committee, the ERMAC team, or a specific project team depending on the context. Voting tech- nology was used at each workshop, with each participant independently rating each risk. After each vote, the software calculated the average score and derived an overall risk rating for each risk. Using voting has a number of benefits, princi- pally allowing a large number of risks to be assessed in a relatively short period of time. Advocates also claim that voting reduces group bias, as results can be pre- sented anonymously and any variations can be discussed.

Voters at each facilitated workshop were asked to rate the likelihood that a particular event would occur in the absence of any controls in place to mitigate the risk (known as the inherent likelihood). Each risk was then mapped to one of four categories (see Exhibit 10.8). An additional exercise considered the effectiveness of current control levels for each risk and also the desired level of control in order to identify any risks where it was considered that additional levels of control were required.

The Internal Audit–led exercise in 2006 initially used a very simple scale (high, moderate, low, and very low) when asking participants to identify/report their top three risks, and then introduced a new BCLC-specific impact and likelihood table to assess inherent impact and likelihood, using the same voting and aver- aging methodology as used in 2003. The new risk criteria considered a range of potential consequences, from threats to product integrity, to media reports, sales, stakeholder relations, regulatory noncompliance, and budgetary impact. The new likelihood ratings included both an assessment of the probability of occurrence and reference to historical incidence and common root causes and control effec- tiveness. The risks were again grouped into four categories, as can be seen in Exhibit 10.9.

The 2007 enterprise assessment developed the risk assessment framework fur- ther, reflecting the additional resources now available to the ERM program with the appointment of a dedicated manager and the engagement of the new ERMAC team. The criteria were revised once more, with metrics developed for each

196 Implementing Enterprise Risk Management








Less significant

Less significant risks. Little monitoring or effort



Are likely to occur but have a small impact. Consider the cost/benefit trade-off.

Critical Critical risks that will have a

significant impact on the operations and

organizational objectives are likely to occur.

Primary Lower likelihood but could have significant adverse effect on operations and business objectives if the

risk occurred.

Exhibit 10.8 2003 Risk Mapping Approach

category of consequence, a cleaner likelihood table with measures of both prob- ability and frequency, and a new management effectiveness rating table.

Assessment participants were asked to vote on the impact if the risk event were to occur and the inherent likelihood of that event occurring. As with the previous assessments, the overall rating assigned to each risk was taken as the average, giving a score from 1 to 5 for each risk. A further vote was then conducted

Im pa



Low Risks

List of two risk statements

Moderate Risks

List of five risk statements

Critical Risks

List of nine risk statements

Risks used to inform the three-year Audit Plan

High Risks

List of 17 risk statements

H i g h


Exhibit 10.9 2006 Internal Audit Risk Matrix


Im pa



Low Risks

Risks where the management effectiveness rating is the same as the inherent risk rating

Moderate Risks

Risk / Opportunity Risks where the management effectiveness rating and the inherent risk rating are only slightly different (–/+ 0.5)

Critical Risks

Risk Risks where management effectiveness is significantly lower (<1) than inherent risk

Opportunity Risks where management effectiveness is significantly higher (>1) than inherent risk

High Risks

Risk Risks where management effectiveness is somewhat lower (<0.5 – 1) than inherent risk

Opportunity Risks where management effectiveness is somewhat higher (>0.5 – 1) than inherent risk

H i g h


Exhibit 10.10 2008 ERM Residual Risk Rating Matrix

on how effective the ERMAC team considered current controls to be for each risk (the “current management effectiveness”). The two scores were then compared and any risks with a high-risk rating and lower management effectiveness rating were identified as requiring management attention.

The two enterprise risk assessments in 2008 in February and November used a very similar approach to the 2007 assessment, except that, instead of reporting on the inherent risk ratings and highlighting any significant gaps between the inher- ent risk rating and the management effectiveness rating, the management effec- tiveness metric was used to place each risk in a residual risk matrix, according to the size of the gap. Where the gap showed that controls were insufficient, this was termed a risk (better described as intolerable residual risk), and where the gap showed that controls were excessive, this was classified as an opportunity (to reduce control levels). The final outcome of the exercise is shown in Exhibit 10.10.

This approach was adopted partly in recognition that BCLC had not always put in place sufficient controls for the level of risk, but also because there was a perception that in some areas excessive controls had been implemented, partly in response to the Ombudsman report and subsequent recommendations and partly because some areas of the organization were considered to be risk averse.

From 2009, there was a change in emphasis from primarily inherent to residual risk assessments. This was partly due to the different approach of the new man- ager, partly due to difficulties with accurately assessing inherent risk, and partly

198 Implementing Enterprise Risk Management

because of a new opportunity with the development of new organizational goals. BCLC had been exploring the concept of balanced scorecards5 as part of devel- oping a more mature approach to performance management, and in early 2009 new risk criteria were introduced based on the new goals. This reinforced the link between risk and wider business and strategic planning, and enabled the develop- ment of a smaller set of risk impact categories that resonated with both manage- ment and senior leadership. The impact criteria were developed with key man- agers and validated with the executives, with an annual update incorporated into the risk management planning timetable.

At this time also BCLC ceased to use the voting technology for a variety of reasons, including cost and geographical limitations, and moved to an approach where group workshops prioritized risk but did not undertake formal analysis or evaluation. A variety of visual mapping techniques were introduced with a more hands-on style adopted, requiring workshop participants to engage more directly through the use of techniques such as using Post-its, voting cards, target placement, assigning spots, and drawing process maps. Formal analysis moved to the appropriate subject matter expert with quality assurance provided by the risk manager and then confirmation of risk scoring provided by the relevant member of the executive or project steering group.

In 2011, as an outcome of the Internal Audit ERM review, it was agreed that the criteria were not sufficiently aligned with leadership attitudes to risk, and that too many risks were being reported with a high rating and thus being escalated in the quarterly report. An exercise was conducted with executives to better align the existing risk criteria to organizational tolerance, and to discuss the perception that the organization, or at least some parts of it, was overly risk averse. Perspec- tive was provided through discussion of the balance between risk aversion and excessive risk appetite and the use of the “as low as reasonably practical” princi- ple (sometimes referred to as ALARP or ALARA [as low as reasonably achievable], and described in ISO 31010).

Two activities were undertaken, each designed to look at the four dimensions of impact in the ERM framework to ascertain whether current levels were an accu- rate representation of the attitude of BCLC leadership toward risk, and to initiate discussion where that attitude varied among the executives.

The first exercise (see Exhibit 10.11) used a poster showing the existing impact criteria, and each executive was asked to mark where he or she believed the current catastrophic or level 5 impact should truly fall on the scale. This clearly shows that the scales in use at the time were generally felt to be misaligned with organizational risk tolerance, in particular for financial/operations and people impacts.

The second exercise took a small number of existing and well-understood risks, all currently assessed at a similar risk rating but with impacts across the different dimensions. Each executive was asked to place the risk where he or she believed it lay on the current impact table, again displayed as a large poster. Exhibit 10.12 depicts the mapping for two of the risks, showing both the spread of opinion, and the disparity between the rating at the time and the risk attitude of the executives both as individuals and collectively.

The exercises were successful in generating discussion about relative risk tolerances and showed both that the overall evaluation tools were escalating risk at too low a level and also that the risk criteria across the different impact



Financial / Operations


Public / Planet

1 2 3 4 512345











Brief description of level 4 player


Brief description of level 2 player


Brief description of level 2 people criteria

Brief description of level 4 people criteria

Brief description of level 2 financial/

operations criteria

Brief description of level 4 financial/

operations criteria

Brief description of level 4 public/ planet criteria

Brief description of level 2 public/

planet criteria

Exhibit 10.11 Impact Scale Evaluation Exercise

dimensions were not completely aligned to the collective executive risk percep- tion and attitudes.

The impact criteria and the risk evaluation table were adjusted after the exec- utive meeting, and the new approach adopted for the next risk review in March 2011. As a result of changing the criteria, the number of risks escalated to the exec- utive declined from 33 to 10, allowing a much greater focus on the most significant risks, while risks now rated as having a moderate risk level continued to receive focus at the divisional risk review meetings.

In early 2012, a new risk framework was put in place describing BCLC’s now maturing approach to enterprise risk management. The framework contained a section on determining appropriate risk responses, including a formal state- ment that BCLC had adopted the ALARP approach to determine the appropriate response to risk. This approach divides risks into three regions or zones:

1. An acceptable region, where further treatment may be undertaken but is not required

200 Implementing Enterprise Risk Management


Rare Unlikely Possible Likely Almost Certain

Im pa


Insignificant 1 2 3 4 5

Minor 2 4 6 8 10

Moderate 3 6 9 12 15

Major 4 8 12 16 20

Catastrophic 5 10 15 20 25

Risk5 Risk5 Risk5Risk5



Risk5 Risk5








Risk8Risk8 Risk8








Risk2 Risk2Risk2Risk2Risk2 Risk2



Risk8 Original rating Risk3 Rating by each VP Risk16 Consensus



Exhibit 10.12 Specific Risk Impact/Likelihood Evaluation Exercise

2. A tolerable region where treatment should be undertaken dependent on cost/benefit analysis

3. An unacceptable region where treatment to lower the risk is mandated

Taking an ALARP approach to risk response allows for flexibility when deter- mining the best approach to managing risk, and reflects that organizations may on occasion choose to adopt higher-risk strategies where the potential reward is deemed to be sufficient, or may elect to carry significant risk where the cost of treatment is felt to be prohibitive.

The relationships between criteria, severity, escalation, and tolerance are set out in Exhibit 10.13.

The next significant risk assessment and evaluation development was the expansion of the risk consequence criteria in August 2012 to include positive out- comes. Consideration of positive outcomes from uncertainty was introduced in ISO 31000, but has long been recommended by project management, for exam- ple in the Project Management Institute (PMI)’s Practice Standard for Project Risk Management. The concept was introduced for two reasons: to better engage those parts of the organization that were aiming to become highly innovative, and to better assess the risks associated with new initiatives. The new approach enables the comparison of risk with potential reward, and establishes the idea that both threats and opportunities are associated with uncertainty.

The new consequence table was based as previously on the key BCLC goals but for the first time included consideration of both positive and negative impacts, with benefits considered as opportunity and loss/harm as threat. The table has



Rare Unlikely Possible Likely Almost Certain

Im p

ac t

Insignificant 1 2 3 4 5

Minor 2 4 6 8 10

Moderate 3 6 9 12 15

Major 4 8 12 16 20

Catastrophic 5 10 15 20 25









Unacceptable region Risk cannot be justified save in

extraordinary circumstances

Acceptable region Necessary to maintain

assurance that risk remains at this level

Tolerable only if risk reduction is impracticable or if its cost is

grossly disproportionate to the improvement gained

Tolerable region Tolerable if cost of reduction

would exceed the improvement gained

The relationship between risk criteria, severity assessment, escalation, and tolerance

Exhibit 10.13 Implementing the ALARP Approach to Risk Response

four levels of positive outcomes and four levels of negative outcomes (with a neu- tral zone bridging the two). BCLC has opted for a symmetrical approach so that a given level of negative outcome in any of the dimensions is balanced by the equiv- alent level of positive outcome. For example, one of the existing financial criteria references the possibility of making a loss of up to $5 million. Therefore, the par- allel positive consequence is a potential gain of up to $5 million. Likewise, in the overall severity matrix, the appetites and tolerances for positive risk follow the same principles already in use for negative risk.

The new table was incorporated into the business case template, with sim- ple graphical maps produced as an outcome of a detailed assessment showing the overall risk profile of any proposed initiative. These maps are used as one of the fac- tors determining both the selection of initiatives and the level of risk management support and monitoring subsequent to approval. The approach has proved very helpful for both risk mitigating proposals to be able to demonstrate value more clearly and for those initiatives that have a more balanced profile to incorporate risk treatment plans from a much earlier stage, allowing for better risk planning and resourcing.

Exhibit 10.14 shows an example of the summary charts produced as an out- come of a business case risk assessment exercise. The business case is for an initia- tive that is primarily designed to reduce existing risks across a number of organi- zational objectives. The bars show the current threat and opportunity assessment, while the lines show the anticipated effect of the initiative on the organizational risk profile. The matrix looks at the overall balance between threat and opportu- nity, with the pre- and post-treatment statuses showing very positive changes. This initiative was approved and is proceeding. Because of the high levels of uncer- tainty, monitoring of threat mitigation and benefit realization will be important.

Exhibit 10.15 shows another example, this time for an initiative with very low levels of uncertainty. The overall effect of the initiative on the organization’s risk profile is broadly neutral. This initiative was also approved and is proceeding. As levels of uncertainty are low, monitoring will be minimal.

Although there was a significant learning curve both for the teams participat- ing in the risk assessments and for senior management in interpreting the results,

202 Implementing Enterprise Risk Management






O p

p o

rt u

n it



Pretreatment Posttreatment


Low High











25 Player People Public Profit Process

S u

m m

ar y

R is

k S

co re


OPPORTUNITY Initial opportunity level Level after treatment

Initial threat level Level after treatmentTHREAT

Exhibit 10.14 Business Case Risk Assessment Output Example 1

the new approach was endorsed by management and was used again in 2013 with some minor improvements to increase consistency.

Linking discussion of potential rewards with potential problems has sup- ported the development of a more nuanced view of risk across BCLC and proved more culturally acceptable to individuals and groups tasked with developing inno- vative practices, as there is less of a focus on asking “What could go wrong?” and more emphasis on “What is not certain?” This has helped the ERM program to counter the viewpoint held by some groups that managing risk is a necessary but uninspiring and possibly bureaucratic exercise required by a risk-averse corpo- ration, and has led to a better understanding that becoming risk-aware helps in embracing change and achieving objectives.

Player People Public Profit Process



Initial opportunity level Level after treatment

Initial threat level Level after treatment







3 8 13 18 23 28

O p

p o

rt u

n it




Low High

Pretreatment Posttreatment–25











S u

m m

ar y

R is

k S

co re


Exhibit 10.15 Business Case Risk Assessment Output Example 2

CONCLUSION This case study has described how enterprise risk management has developed over the past 10 years at BCLC, a Canadian crown corporation offering lottery,


casino, and online gambling. BCLC’s enterprise risk management program has been developed over time through a combination of internal experiential learn- ing and the application of specialist advice. The program’s success has been due to the dedication of a number of key individuals, the support of senior leadership, and the participation of BCLC employees.

The approach to ERM has evolved from informal conversations supported by an external assessment, through a period of high-level corporate focus supported by a dedicated group of champions using voting technology, to an embedded approach, where risk assessments are incorporated into both operational practice and planning for the future using a variety of approaches, depending on the con- text. The increasing maturity of the program has been mapped to a simple scale adapted from a model developed by Deloitte (Exhibit 10.16).

BCLC’s current approach to managing risk is one that recognizes that, in order to innovate and develop, it needs to embrace change with all the associated uncertainty that brings. At the same time it needs to protect its reputation and preserve the integrity of its systems and processes. Risk awareness and appro- priate response are thus essential in both day-to-day and longer-term strategic planning.

BCLC is moving into a more challenging future and working to transform into an increasingly dynamic and innovative organization, where effective risk man- agement will increasingly become a core competency for success. As its leaders reflect on 10 years of enterprise risk management, there are still plenty of chal- lenges ahead in order to continue to sustain and develop its program. In particular they are looking to automate monitoring and reporting.

• No formal procedures for risk assessment

• Depends primarily on individual heroics, capabilities, and verbal wisdom

• Ad-hoc/chaotic

• No focus on risk inter-linkages

• Limited alignment of risk to strategy

• Disparate monitoring • Reaction to adverse

events by specialists • Discrete roles

established for small sets of risks

• Risk definitions vary across the organization

• Policies, risk authorities defined and communicated

• Common approach for routine risk assessments

• Communication of key risks to the Board

• Executive committee for risk management established

• Dedicated team • Primarily qualitative • Reactive

• Coordinated risk management activities

• Risk appetite is defined • Enterprise-wide risk

monitoring, measuring and reporting

• Training • Risk analysis tools

developed and communicated

• Integrated response to adverse events

• Rapid escalation • Proactive

• Embedded in strategic planning, resource allocation, business / product development, and other key decisions

• Early warning risk indicators

• Linkage to performance measurement and incentives

• Risk modeling and scenarios

• Industry benchmarking • Technology implementation • Sustainable

1: Unaware 2: Fragmented 3: Coordinated 4: Systematic 5: Strategic

• ERM manager recruited • ERMAC established • ERM policy produced • 1st ERMAC assessment • Board assume primary

ERM oversight • Risk Planning Group

established • Opportunity criteria

incorporated • Strategic risk


• Realignment of risk criteria • High risks formally assigned

to VPs

2010 • Updated ERM guidance issued • Internal Audit ERM review

• New risk manager recruited • Risk workshops • Risk registers established • Introduce supporting technology

• Develop GRC synergies Next steps:

2003 • EROM assessment

2006 • IA ERM assessment


2006–2007 • ERM program launch

2012 • New ERM framework


2011 • ERM move to CFO

2008 • Quarterly ERM reporting

Exhibit 10.16 BCLC’s Journey toward Risk Management Maturity

204 Implementing Enterprise Risk Management

QUESTIONS 1. Sometimes risk workshops generate so many risks that it is not possible to assess all

of them, while on other occasions only a small number of risks are identified and in- depth assessment is possible. What are the advantages and disadvantages of these two scenarios?

2. How do outcomes, causes, and risks differ, and what are the implications of confusing these?

3. Is the term inherent risk helpful? How could it help and/or hinder the assessment of risk? 4. What are the implications of moving from assessments of predefined sets of risks to using

top-down objectives based on the balanced score card approach? 5. Contrast the advantages and disadvantages of using voting technology compared with

other approaches such as those described in this case study.

NOTES 1. The Sarbanes-Oxley Act of 2002 was enacted in the United States as a response to a num-

ber of corporate governance scandals and introduced a number of financial governance regulations, including the requirement to produce a report on internal control.

2. The CBC investigative series Fifth Estate aired an episode entitled “Luck of the Draw” on March 14, 2007, about insider wins, featuring the story of Bob Edmonds, who was defrauded out of his lottery winnings by a retail clerk.

3. The Player First program was BCLC’s response to the Ombudsman report and Deloitte recommendations, a collection of significant change initiatives under way from 2007 to 2011 designed to put the player at the forefront of BCLC activities.

4. Bow-tie analysis is a simple diagrammatic way of describing and analyzing the pathways of a risk from causes to consequences. The approach is outlined in ISO 31010 risk assess- ment techniques. Also see pages 291–293 of Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, ed. John Fraser and Betty J. Simkins (Hoboken, NJ: John Wiley & Sons, 2010).

5. The balanced scorecard originated by Drs. Robert Kaplan and David Norton as a per- formance measurement framework that added strategic nonfinancial performance mea- sures to traditional financial metrics to give managers and executives a more balanced view of organizational performance.

REFERENCES AS/NZS 4360:2004 Risk Management. BCLC Annual Service Plan Report 2012/2013. BC Ombudsman. 2007. “Winning Fair and Square: A Report on the British Columbia Lottery

Corporation’s Prize Payout Process.” British Columbia Treasury Board. Core Policy and Procedures Manual (CPPM). “Risk Manage-

ment,” Chapter 14. Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004.

“Enterprise Risk Management—Integrated Framework.” Deloitte & Touche. 2003. “Enterprise-Wide Risk & Opportunity Management (EROM)—

Phase 1 Final Report.” Deloitte & Touche. 2007. “Report on the Independent Review and Assessment of the Retail

Lottery System in British Columbia.” October.


Ernst & Young. 2010. “Results of the Enterprise Risk Management Benchmarking Study Involving 11 Participating Organizations.”

ISO 31000:2009 Risk Management—Principles and Guidelines. Society of Actuaries. 2009, 2010. “A New Approach for Managing Operational Risk.”

ABOUT THE CONTRIBUTOR Jacquetta Goy is the Director of Risk Management Services, Thompson Rivers Uni- versity and former Senior Manager, Risk Advisory Services at British Columbia Lottery Corporation, responsible for establishing and developing the enterprise- wide risk management program. Prior to that she spent 14 years in the English health service, where she was responsible for setting up and developing the risk, quality, and governance programs for an inner-city health care organization. This involved preparing for a variety of accreditation reviews and inspections, manag- ing quality assurance, audit, complaints, clinical risk, investigations, and root cause analysis. Jacquetta has both participated in and organized a number of conferences on both risk and quality management. She studied international politics at Aberys- twyth University, Wales, and has a master’s in public health from St. George’s Uni- versity of London. Currently, she is a member of the Canadian Committee for Risk Management and Related Activities, Canadian Standards Association, and one of the Canadian delegates on the international technical committee for risk manage- ment (TC262). She can often be found on various LinkedIn risk groups advocating ISO 31000.


Starting from Scratch The Evolution of ERM at the Workers’ Compensation Fund

DAN M. HAIR Senior Vice President, Chief Risk Officer, Workers Compensation Fund

Modern workers’ compensation systems are children of the industrial rev-olution. The concept of a social insurance program protecting work-ers from job-related injuries and illnesses had its modern origins in the development of European factory, child labor, and mining regulations throughout the eighteenth and nineteenth centuries. In the United States there was a long ges- tation period leading to the adoption of similar schemes. In the nineteenth century accidents in the mining and railroad industries led to early regulatory structures in those areas. The Russell Sage Foundation’s Pittsburgh Survey of 1907 along with the Triangle Shirtwaist Factory fire in 1911 were major factors in the adoption of the first state workmen’s compensation laws from 1911 to 1915.

In 1917, the Utah legislature passed the Workers’ Compensation Act, requiring all employers to obtain workers’ compensation insurance coverage. The Workers Compensation Fund (WCF), then called the State Insurance Fund, was created to provide competitively priced insurance to Utah employers. In the same year, the legislature appropriated $40,000 from the state treasury for WCF to begin writing insurance. This loan was repaid by WCF in four years, and from that time forward WCF has operated financially independent of the state and has functioned largely as a state agency.

A formal organizational study of WCF was completed in 1987. It recom- mended autonomy from state administration by establishing WCF as a quasi- public corporation with a board of directors comprised of policyholders and indi- viduals with expertise. In 1988 the Utah legislature again modified its statutes to protect the state from any WCF expenses or debts and to prohibit the state from accessing the Injury Fund. In 2005 the Utah Supreme Court ruled that WCF and all of its assets were solely owned by its policyholders.

Today, WCF operates as a mutual insurance company owned by its policy- holders and governed by a seven-member board of directors appointed by the governor. WCF performs a public purpose relating to the state and its citizens. Specifically, WCF serves as Utah’s carrier of last resort for workers’ compensation


208 Implementing Enterprise Risk Management

insurance coverage. As such, any Utah employer, no matter its size, the riskiness of its business, or its prior loss history, can obtain workers’ compensation insurance coverage from WCF.

WCF is under state regulatory oversight provided by the Utah Department of Insurance and Utah Labor Commission. WCF also receives annual rating agency financial oversight through the A.M. Best Company, which examines, among other things, solvency, operating performance, risk-based capital requirements, and enterprise risk management (ERM) capabilities. Currently, WCF is rated A or excellent. WCF has its headquarters in Sandy, Utah, and additional branch offices in central, northern, and southern Utah. It also owns affiliated companies that are licensed to write workers’ compensation insurance and perform claims manage- ment services in other states as well.

TOWARD ERM PROGRAM INITIATION The early 1990s were a time of transformative change at WCF. In 1992 the board hired a new president and CEO, Layne Summerhays, who soon added additional executives. The resulting executive group was an amalgam of new leaders who had spent their careers in the private sector and retained leaders with critical insti- tutional memory and experience with the workers’ compensation system in Utah. The new executive team established a focus on customer service, internal account- ability, operating efficiency, and private carrier best practices.

In the ensuing years WCF obtained its initial (A–) A.M. Best rating, signifi- cantly improved operating results and customer satisfaction, grew its surplus from $67 million to more than $600 million, and returned 40 percent of net income to policyholders in dividends. These impressive results came despite the vagaries of market cycles and some very difficult strategic challenges.

Utah has been a very competitive insurance market for many years. Com- petitors have included large, national multiline carriers, national workers’ com- pensation specialty carriers, and locally domiciled insurers. Their ability to quote multiple lines of insurance in and out of Utah put WCF at a distinct competitive disadvantage. Additionally, as WCF’s fortunes changed, various parties initiated discussions within the legislature regarding WCF’s structure, its future status as a tax-exempt market of last resort, and the ultimate ownership of company assets.

These two significant risks were tackled by the management team in close col- laboration with the board. Working toward solutions involved risk assessment, evaluation of options, and envisioning potential outcome scenarios, both positive and negative. Ultimately the multistate issue was creatively resolved by working with the legislature to get limited statutory changes in an amicable fashion and the formation of an affiliated company. Resolving ownership of company assets was a more contentious issue between WCF and the executive branch of state gov- ernment. This was only resolved after the board and management determined it would be necessary to take legal action by suing the State of Utah. The resulting litigation was decided in favor of WCF by the landmark 2005 Utah Supreme Court decision.


This episode in the history of the company, which involved robust discussion of risk, potential scenario development, and close collaboration with the board, was the foundation for what has followed. In addition, at the company’s annual retreat and planning session for board members, senior vice presidents, and vice presidents in 2006, time was set aside for consideration of the range of potential risks to the company. Returning from this board retreat, the executive team began an ongoing discussion of key strategic risks and opportunities that continues to this day.

Although the financial trials of the Great Recession of 2007–2011 did not seriously impact the solvency of WCF or the property-casualty insurance indus- try, it certainly stimulated boards to think about risk, fat tails, black swans, and low-frequency, high-severity events. This watershed event also resulted in financial rating organizations such as Standard & Poor’s and A.M. Best mov- ing toward the development of much more robust questioning of rated firms’ capital management, risk assessment practices, and enterprise risk management capabilities.

At this time WCF’s President and CEO, Ray Pickup, along with Board Chair Dallas Bradford and other directors, began serious discussions of the need for more formality and structure in the company’s risk management efforts. As the former CFO, Ray Pickup not only had a deep understanding of risk but a passion for transparency and openness, as well as a self-effacing management style that valued input from all areas of the company. As a retired partner in a public accounting firm, Chairman Bradford had long dealt with issues of risk and was a self-described “glass is half empty guy” who “imagined the worst scenario.” He noted that when a company’s risk management efforts fail, “a great many people would be financially damaged and the company’s public image would perhaps be irreparably damaged.” He also expressed that “The company had done some sig- nificant work in this arena, but little of it had been documented and there was no clear response mechanism in place. Also, there was no organized process in place to evaluate the various risks. It was an easy step for me to encourage the company to undertake a much more rigorous program to identify and manage potential risks that could severely damage our company and the important public interests we serve.”1

INITIAL ACTIONS In late 2010 Ray Pickup, with the approval of the board, created the chief risk offi- cer (CRO) position, designating Dan Hair, who had been and would continue to serve as the Chief Underwriting and Safety Officer, as the first CRO. An addi- tional committee of the board, the Risk Oversight Committee, was also created. The job description for the new CRO position contained several key elements (see WCF Chief Risk Officer Job Description). First, the CRO was to report to the pres- ident and CEO but with additional reporting responsibilities to the board and the newly formed Board Risk Oversight Committee. This was reinforced by the CEO, who encouraged direct access to the board by the CRO, including the airing of

210 Implementing Enterprise Risk Management

any differences of opinion. Second, the CRO was to have access to all areas of the company and its affiliates. This was fundamentally important if the CRO was to have an enterprise-wide understanding of all the risks facing WCF. Third, implicit in the job description and explicit in the WCF Risk Policy (see WCF Risk Policy) is the idea of excellence in the development of a program that is suitable and appro- priate for WCF.

January 25, 2011: Initially the CRO, working with Chief Financial Officer Scott Westra, developed a preliminary risk assessment matrix to be used by the senior officers in a Delphi qualitative assessment of all risks facing the company. Each executive was asked to look at a list of risks provided by the CRO, add to it any risks they felt should be considered, and score the severity and probability of those risks. Several meetings followed with the entire senior team to come to a consensus on the matrix, scores, and risk list. Initial results were then presented to the entire Board, which resulted in further refinement of the matrix and heat maps (Exhibits 11.1 and 11.2). The Board and management were in agreement that risk appetite should primarily be evaluated by impact on WCF surplus. This was later refined to include statutory combined ratio and operating income. Senior management was explicitly tasked with developing mitigation plans for any risks scoring in the red area of the heat map.

WCF Chief Risk Officer Job Description

Position Purpose

The purpose of this position is to develop and monitor the Risk Manage- ment strategy, policies, and processes under the direction of the CEO, Board of Directors, and Board Risk Oversight Committee. Ensure that appropriate risk assessment and mitigation strategies are developed for all core functions of WCF.

Nature and Scope

The Chief Risk Officer (CRO) is a Senior Executive with 10–15 years of experience who has a broad understanding of all key areas of the business. The CRO possesses management experience in key business areas with proven ability to provide strategic direction and leadership. He/she has superior analytical, presentation, communication, and facilita- tion skills. The incumbent usually possesses advanced degrees and/or tech- nical certifications in accounting, actuarial, risk management, operations, or finance.

Performance is measured on overall achievement of company financial objectives and the effectiveness of the ERM program in developing and implementing the best approaches for protecting WCF, its employees, and assets.


Principal Duties

Essential Functions

1. Develops and communicates an appropriate Enterprise Risk Manage- ment (ERM) infrastructure within WCF by working cooperatively with the Senior Officers as a group and with each department in a collabora- tive manner.

2. Under the direction of the CEO, works with other company executives and the Board Risk Oversight Committee to develop an ERM strategy for WCF that identifies, quantifies, and mitigates risks facing the com- pany. Provides appropriate risk reporting.

3. Consults with and provides assistance as requested to WCF affiliates and subsidiaries. Works with them to ensure that appropriate ERM planning is in place.

4. Facilitates enterprise-wide risk assessments and monitors the capabili- ties around managing priority risks across the organization.

WCF Risk Policy

Failure to manage risk, whether it is financial, operational, or reputational, may subject the Company to negative outcomes. These outcomes could impact our customers, colleagues, partners, and the viability of our business. Managing risk reinforces our corporate values of compassion, accountability, and expertise.

Consequently, every employee, WCF department, and affiliate will con- tinually assess and monitor risks of all types. Under the direction of Senior Management and the Board of Directors we will take appropriate mitigation actions consistent with our mission of excellence.

In subsequent months the CRO met with the leadership of each WCF depart- ment and affiliate to explain the importance of the ERM program, why it was being launched, and their role in the program. Basic risk management training was given to them along with a modified departmental risk matrix. Their views on risks within the company and their departments were solicited and they were guided to the development of their own heat maps. At the same time the initial meeting of the Board Risk Oversight Committee was held and the duties of the Internal Risk Committee (IRC), chaired by the CRO, were established (see WCF Internal Risk Committee Duties). This effectively created an ongoing three-level review of risk consisting of the board, senior management, and key company leaders.

212 Implementing Enterprise Risk Management

Exhibit 11.1 WCF ERM Risk Management Matrix Values

Incident or exposure probability descriptions (Risk = P × S) Very low (1): Improbable, no prediction confidence (P = .01/range = <.02) Low (2): Remote, may occur once every 10 to 50+ years (P = .02) Moderate (3): Occasional, may occur once every 3 to 10 years (P = .16/range = .10

to .33) High (4): Probable, may occur once every 2 to 5 years (P = .25/range = .20 to

.50) Very high (5): Frequent, could occur annually (P = .50/range = .50 to 1.0) Incident or exposure severity descriptions Slight loss (1): Inconsequential with respect to financial, personnel, or brand

damage: less than 1% of surplus, or $10M loss or a 1- to 5-point impact on combined ratio.

Medium loss (2): Important financial, personnel, or brand damage; threshold of financial materiality, 5% or more of surplus, or $11M to 25M loss or a 6- to 10-point impact on combined ratio.

Material loss (3): Material damage to financial strength, personnel, or brand; $26M–$50M loss or an 11- to 15-point impact on combined ratio.

Large loss (4): Significant damage to financial strength, personnel, or brand; 10% or more of surplus, or a $51M to $75M loss, could damage stakeholder confidence or a 16- to 20-point impact on combined ratio.

Very high loss (5): Catastrophic impact on solvency, brand, or personnel; 50% or more of surplus; greater than a $75M loss, would damage stakeholder confidence or a combined ratio impact of >20 points.

WCF Internal Risk Committee Duties

Description � Meets quarterly under the direction of the Chief Risk Officer. � Attended by representatives/risk champions from each department or

business unit. � Reviews reports on department risk identification and mitigation efforts. � Reviews risks and risk mitigation efforts company-wide. � Receives training in risk recognition and mitigation techniques from

CRO and others. � Helps develop WCF risk policies and resources. � Assesses risk integration and response issues.

Members � Preferably business unit managers or leaders with interest in risk man-

agement. � Ability to train and coach others. � Thorough understanding of all aspects of the department/business unit.


Standing Agenda � Review/update WCF key risks and mitigation efforts. � Review/update department or business unit key risks and mitigation

efforts. � Training in ERM, risk identification, and control techniques (CRO or

guest speakers). � Committee member new business. � Improving/strengthening the risk culture at WCF and affiliates.

In its initial meetings, the Board Risk Oversight Committee, which meets two or three times per year, approved the IRC Charter and gave direction and feedback regarding initial efforts. One valuable suggestion was to do a risk sur- vey of the entire company. Although approximately one-third of WCF employ- ees had already been involved in ERM activities to date, this was a very help- ful idea. Over 50 percent of all employees responded (see 2012 All-Employee

Incident or exposure probability descriptions

Very low (1)





1 3 5



Large loss (4)

Material loss (3)

Medium loss (2)

Slight loss (1)

Very high loss (5)

Low (2)

(9) Large Earthquake 15 20 25

16 20(8) AWCIC Failure

(4) Violent Security Breach; (3.84) Pinnacle or AWCIC Failure; (5.04) Data Breach With Loss of Data

(2) Other Credit Risks - Receivables

(5.2) Detrimental State Regulatory Action; (4.64) Catastrophic Multi-Claim Incident; (4.5) Loss of Tax Exemption Retroactively; (5.76) Other Detrimental Federal Regulatory Action; (6.46) Terrorist Act; (5.8) Adverse Loss Reserve Development; (6) Inflation Risk; (7.02) Multi-Year High Combined Ratio

Moderate (3)

(12) Loss of Tax Exemption; (12) Multi- line competition, leveraging

(9) Prolonged Economic Downturn Beyond 2011; (9) Prolonged Soft Market Beyond 2011

High (4) Very high (5)

Incident or exposure severity descriptions

(6) Bond Credit Risk; (6.24) Malevolence Against Company; (5.52) Significant Number of Large Losses in Single Year; (6.9) Interest Rate Risk

(4) Employee Malfeasance

(10) Equities or Securities Impairment

Exhibit 11.2 WCF Risk Assessment Matrix; the increased darkness corresponds to the risk, i.e. low = least dark, medium = middle shade, and high = darkest. Risk Score Under 4: Category 1: Risk reduction actions discretionary, risk acceptable 4 to 8: Category 2: Ongoing risk assessment appropriate with informal mitigation but may

be within risk tolerances; to be discussed with Internal Risk Committee 9 or greater: Category 3: Unacceptable risk, triggers scenario planning and development of

mitigation plan to be presented to Board Committee

214 Implementing Enterprise Risk Management

ERM Survey). The survey was done electronically with optional anonymity for all participants.

2012 All-Employee ERM Survey

� What are the most important challenges facing WCF today? � What are the greatest threats to our reputation/brand? � What local or national events or trends should cause us the most con-

cern? � What other issues should the Chief Risk Officer be concerned about? � Name (optional)

Initial IRC discussions were robust and enthusiastic. The mix of company offi- cers, managers, and risk champions worked effectively together. Many of the risks that were contained in the consolidated risk list they developed were also iden- tified by the senior group and the company-wide survey. Having wide unanim- ity on which risks were most important was very helpful and allowed effective focus. Early on it was decided to split the list of risks thus developed into two sections. The first section contained the risks that, as department leaders, the IRC could impact and manage. The second-tier risks were those that were of a strategic nature or just simply could only be managed by senior management.

The initial duties of the Internal Risk Committee were to review all the depart- ment risks, consolidate them where possible, and come up with a consensus scor- ing using the risk matrix. The committee was split into a gold team and a blue team to accomplish this and report back to the IRC, whereupon a consensus was reached. Mitigation plans were discussed and developed where appropriate. In some cases this involved tailored mitigation steps. In many others it was deter- mined that existing WCF and department management protocols and procedures were adequate. It is the ongoing duty of the IRC to meet quarterly to discuss the adequacy of existing mitigation efforts and to consider new risks. In each meeting of the IRC, members are asked to again consider the question “Have we adequately protected the company against these risks?” Many of the early discussions of the IRC were taken up with data security concerns, particularly relating to the Health Insurance Portability and Accountability Act of 1996. The committee also focused on cyber risk, other operational risks, affiliate risks, and compliance risks.

As a final note to this section, developing and maintaining positive and helpful relationships with other executives is very important. Two roles that are especially important at WCF are the CFO and the company’s head of Internal Audit. At WCF they work closely and effectively by fully sharing information, both internal and external. Both the CFO and Internal Audit leader participate in the IRC. The CRO has no direct authority over other executives, so he or she must work in a collabo- rative manner, building consensus as to needed measures and ERM development. Should problems arise, the CEO has been willing to intervene in support of the ERM program, but that has rarely been needed.


MATURING: YEARS 1 AND 2 In the spring of 2011 a new tool was added to the ERM program with the intro- duction of the risk register (RR). Although this did not replace the risk list and heat maps, it consolidated all that information into one Excel file (see Exhibit 11.3) and added new elements necessary to properly manage risk. This is the primary document WCF uses to monitor enterprise risks.

The first cell contains each risk’s assigned number and designation reflecting whether it is assigned to the IRC or to senior management. There are currently about 25 of each. A description of each risk is in the next cell, which is refined from time to time. The next cell captures risk correlation by listing the number of other risks in the document believed to be likely to occur at the same time or to be interrelated in some way. For example, a prolonged economic downturn affects other risks such as market cycle risk and pricing risk.

The next six cells in the RR deal with how the risk is scored and the poten- tial loss to the company. The probability and severity scores are listed as currently scored. These are subject to modification to reflect changing conditions or success- ful mitigation. The risk score is listed and the cell is filled with light gray/medium gray/dark gray indications. The risk matrix gives ranges for both probability and severity, and selections are made for both and entered as AP (actual probability) and severity potential. These two cells are multiplied to produce a potential loss value. In a separate chart produced for the board, this cell is graphed into a tor- nado chart (see Exhibit 11.4) to give a representation of total potential losses at any one time. The CRO also prepares for them a separate modified heat map that shows only the most critical risks and opportunities with indications of whether we feel they are increasing or decreasing (see Exhibit 11.5).

The remaining five cells include space for probability and severity-reduction targets, mitigations recommended by the IRC or senior management, the risk own- ers, and who originally identified the risk. Formal mitigation steps are entered for higher-scoring risks. Usually at least a dozen or so risks have mitigation plans. A mitigation plan could be a set of active steps designed to reduce or control a risk or simply those steps that have been taken and are deemed adequate. Where this field is blank it represents a consensus that the risk is appropriately mitigated by current WCF guidelines and protocols. The risk owners are primarily responsible for actively monitoring the risk and suggesting changes or actions. The origination column just gives a record of where the concern started. Multiple people or WCF departments can appear in both cells.

In late 2011 the CRO suggested to the CEO and board that at some time a third- party review of the program might by helpful in reviewing progress to date, as well as providing some benchmarks for future improvements through the following two to three years. The board agreed, and allocations were made in the 2012 budget to engage a recognized thought leader with experience in the field to review WCF’s ERM program. This was completed in the first quarter of 2012 and proved to be very helpful. The ERM expert thus engaged was Sim Segal, a Fellow of the Society of Actuaries (FSA), a Chartered Enterprise Risk Analyst (CERA), and president of Simergy Inc.

The engagement included a review of all documents relating to ERM at WCF to date, including matrices and heat maps in all their iterations. The risk register was

E xh

ib it

11 .3



is k

R eg

is te
























$0 $1 $2 $3 $4 $5 $6

Bad Faith lawsuit, class action lawsuit

Catastrophic event causing multiple large claims

Transportation (aircraft) related catastrophic event (multipassenger, policyholder employees…

Subsidiary risk (AWCIC, Pinnacle)

Monoline/Monostate business model, increased competition and loss of market share

Risk of delays/failures with the TORCS rewrite project

Risk of widespread misclassification resulting in inadequate rates

Legal environment-- case law, benefits, retroactive or prospective legislative changes that…

Premium fraud schemes

External employee risk exposure-- traveling, external appointments, working from home

Loss of sensitive data, HIPPA compliance

Inequity in benefits administration, regulatory fines, lawsuits

Loss of critical vendor (Software AG, IBM/Filenet and others)

Negative Social Media/PR event

Loss of key employees including senior management

Medical advances at high cost

Internal employee risk exposure-- inside and around building, violence in the workplace Approval/payment of treatments resulting

in death (Rx meds, opioids, etc)

Zions bank processing error/failure

Inadequate resources to meet business needs (employees, equipment, etc).


Internal Risk Committee Risks Probable Cost

Uncorrelated Risks Correlated Risks

$ Potential = AP x Severity Potential

Exhibit 11.4 Internal Risk Committee Risks: Probable Cost

reviewed along with minutes of all the IRC and Board Risk Oversight Committee meetings. This document review was followed by a lengthy discussion with the CRO responding to questions about the process, personalities, and content. A full day was spent by Sim Segal in one-on-one discussion with WCF’s president and CEO, the board chairman, other WCF executives, and members of the IRC.

The final report with recommendations was given to and reviewed with all parties and discussed at the 2012 annual board retreat. The report was helpful in verifying WCF’s initial steps and pointing it toward several key future steps with some action items. These included more rigorous risk analysis of key risks using sophisticated process safety tools, engaging more closely with the affiliates and moving toward a more formalized approach to risk/opportunity issues.

The action items have been a primary focus throughout 2012 and 2013, and two are worth specifically addressing. The most consistent failure mode for property- casualty insurance carriers is reserve failures. Workers’ compensation claims have a very long tail in that costs are not finalized for many years. In fact, WCF is still paying on claims dating back to the 1950s. Case reserving involves an adjuster’s considered estimate of all costs to the end of the claim and an actuary’s judgment of the cumulative expected development on those claims. Some will close for less

V er

y H

ig h

(5 )

R is

k S

co re

5 R

is k

S co

re 1

0 R

is k

S co

re 1

5 R

is k

S co

re 2


S en

io r

M an

ag em

en t

R is

ks T

h re

at / O

p p

o rt

u n

it y

M at

ri x

(T o

p 1

0 by

R is

k S

co re


R is

k S

co re

2 5

R is


3 8 2

7 9

5 15


12 4


R is

k S

co re

4 R

is k

S co

re 8

R is

k S

co re

1 2

R is

k S

co re

1 6

R is

k S

co re

2 0

R is

k S

co re

3 R

is k

S co

re 6

R is

k S

co re

9 R

is k

S co

re 1

2 R

is k

S co

re 1


R is

k S

co re

2 R

is k

S co

re 4

R is

k S

co re

6 R

is k

S co

re 8

R is

k S

co re

1 0

R is

k S

co re

1 R

is k

S co

re 2

R is

k S

co re

3 R

is k

S co

re 4

R is

k S

co re


S lig

ht L

os s

(1 )

M ed

iu m

L os

s (2


T hr

ea t

O pp

or tu

ni ty

R is

k m

ov em

en t s

in ce

la st

r ev

ie w

R is

k tr

en d

ba se

d on

s ta

tu s

an d

cu rr

en t a

ct io



R is

k tit


P ro

lo ng

ed E

co no

m ic

D ow

nt ur

n B

ey on

d 20


B on

d C

re di

t R is


In te

re st

R at

e R

is k

S ig

ni fic

an t N

um be

r of

L ar

ge L

os se

s in

a S

in gl

e Y

ea r

In fla

tio n

R is




F ai

lu re

/R at

in g

D ow

ng ra


La rg

e E

ar th

qu ak


U ns

uc ce

ss fu

l P

ric in

g S

tr at

eg y,

H ig

h M

ul tiy

ea r

C om

bi ne

d R

at io

M ul

til in

e C

om pe

tit io


Lo ss

o f T

ax E

xe m

pt io


E qu

iti es

/S ec

ur iti

es Im

pa irm

en ts

R is

k O

w ne


S r,

G ro


S co

tt W

es tr


S co

tt W

es tr


D an

H ai


S co

tt W

es tr


R ay

, D an

, S

co tt

D an

H ai


D an

H ai

r &

S r.

T ea


P eg

gy La

rs on

, D an

H ai


R ay

P ic

ku p,

D en

ni s

Ll oy


S co

tt W

es tr


R is

k S

co re

6666. 22


B ot


M at

er ia

l L os

s (3

) La

rg e

Lo ss

( 4)

V er

y H

ig h

Lo ss

( 5)

H ig

h (4


M od

(3 )

Lo w

(2 )

V er

y Lo

w (1



S ev

er it


E xh

ib it

11 .5

Se ni

or M

an ag

em en

tR is

ks :T

hr ea

t/ O

pp or

tu ni

ty M

at ri

x (T

op 10

by R

is k

Sc or




than the estimate whereas many will ultimately exceed the estimates by a consid- erable margin. If a carrier gets this wrong, it will become insolvent. The same is true for pricing workers’ compensation insurance. It is based on a volatile estimate of cost of goods sold and is subject to fluctuation and pricing error. While this does not usually result in insolvency, it can dramatically impact profitability. Therefore, claim reserving error and pricing error seem to be the best candidates for a more rigorous risk analysis.

To make this analysis, a simple fault tree methodology was selected (see Exhibits 11.6 and 11.7).

The fault trees were developed through consultation with subject experts. They consist of an end point failure that WCF is seeking to avoid and levels of precipi- tating errors built upon each other that would lead to that top-level outcome. The final bottom end points would be factors for which WCF needs to build mitigation plans. In both cases significant variables are system malfunctions, human errors, and oversight failures. The finalized analyses are then reviewed with both risk committees.

Finally, the other major focus in 2013 is on developing both a robust risk/opportunity assessment tool and determining the parameters for its use. For WCF an acceptable tool has been difficult to agree on. An initial form was devel- oped and experimented with on a voluntary basis (see Exhibit 11.8). The form con- tained a restatement of WCF’s risk appetite/tolerance statement guiding the users in regard to when it should be used. A description of the proposed action was required along with cost and expected value explanations.

Identified risks to successful implementation were listed and scored using a matrix embedded in the tool. Mitigation strategies for risk scoring at a certain level were completed.

Information regarding the risk owner and approvals completed the form. The usefulness of the process seemed to lie in three areas:

1. The process could help users to cover all the bases in considering their plans. 2. It could also be helpful in creating a management review and oversight

circuit breaker that many companies that fared poorly in 2007–2010 might today wish they had.

3. Finally, it provides a record of risk taking. We often look back on failures and ask: How did that happen? A good risk record might show us whether the issue was an unidentified, unforeseen risk, an execution failure, or just a failure in judgment.

The question seems to come down to whether present systems are adequate or is additional formalization worth the effort and extra work? After further consulta- tion with the Board Risk Oversight Committee in late 2013, management decided to adopt a “principle-based guideline that could be used on a voluntary basis or required by management as desired.” (See pp. 223–224.) This approach gives max- imum flexibility along with simplicity. Simple but fundamental questions are used to elicit understanding of a proposed action. Examples of ventures that might be suitable for an analysis are given and a simple follow-up process is described. So far, this approach has been successfully used several times and seems to meet the needs of the organization at this time.

In ad

eq u

at e

o r

R ed

u n

d an

t C

la im

R es

er ve


C as

e R

es er

ve s

M is

ca lc

ul at

io n



ai lu

re or

A no

m al


U ne

xp la

in ed

ch an

ge in


A In

te rn

al ca

lc ul

at io

ns o

r as

su m

pt io


B as

ic m

at h

or be

ne fit

ca lc

ul at

io n

er ro


D ep

ar tm

en t Q

C re

vi ew

s no

t ef

fe ct

iv e

or tim

el y

Li be

ra liz

at io

n of

B en

ef its

B ey

on d

S ta

tu to

ry D

ut y

A ct

ua ria

l Ju

dg m

en t

E rr

or s

In co

m pl

et e

or In

co rr

ec t D

at a

U se


U na

nt ic

ip at

ed B

en ef

it S

tr uc

tu re

C ha

ng es

In ad

eq ua

te In

fla tio

n Fa

ct or

in g

C -S

ui te

P re

ss ur


F ed

er al

R es

er ve

A ct

io ns

P re

ss ur

e to

ad op

t di

ffe re

nt fa

ct or

s or

as su

m pt

io ns

P re

ss ur

e to

m is

- st

at e

re su

lts o

r fa

il to

r ep

or t

co nc

lu si

on s

U na

nt ic

ip at

ed N

at io

na l o

r R

eg io

na l

E co

no m

ic T

ur ns

In co

rr ec

t A

ss um

pt io

ns of

In fla

tio n

C ha

ng es

O ve

rr el

ia nc

e on

P ai

d or

in cu

rr ed

M et

ho ds

Im pr

op er

M od

el in

g Te

ch ni

qu e

S el

ec te


A ct

ua ry

to o

E ag

er to

P le

as e

P ro

bl em

w ith



D at

a A

cc ur

ac y

Lo ss

o r

C or

ru pt

io n

of D

at a

U nd

et ec

te d

R et

ro ac

tiv e

B en

ef it

C ha

ng es

P ro

sp ec

tiv e

B en

ef it

C ha

ng es

O th

er C

om pe

ns ab

ili ty

C ha

ng es

La ck

o f a

cc ou

nt ab

ili ty

m ea

su re

s fo

r ad

ju st

er s

or S

up er

vi so


E xa

m in

er fa

ils to

r es

po nd

to ch

an gi

ng c

as e

in fo

rm at

io n

E xa

m in

er fa

ils to

r ev

ie w

re se

rv es

pe rio

di ca


S ig

ni fic

an t c

ha ng

e in

nu m

be r

of e

xa m

in er

ov er

rid es

o f


A r

ec om

m en

da tio


E xa

m in

er R

es er

vi ng

P ro

to co

ls Fa

il/ In

ad eq

ua te

S up

er vi

so ry

R ev

ie w

o r

O ve

rs ig

ht F

ai lu


O th

er U

nd et

ec te

d S

ys te

m E

rr or

s or

F ai

lu re

B ul

k R

es er

ve s

M is

ca lc

ul at

io n

E xh

ib it

11 .6

C la

im R

es er

vi ng

E rr

or Fa

ul tT

re e


B o

o k

P ri

ci n

g E

rr o

r/ In

ad eq

u at

e R

at es

In di

vi du

al A

cc ou

nt s

P ric

in g

E rr

or s

U nd

er w

rit in

g S

ys te

m o

r U

nd er

w rit

in g,

M an

ag em

en t E

rr or

s LC


rr or

s Lo

ss C

os t

E rr

or s

U nd

er w

rit er

E xc

ee ds

U nd

er w

rit in

g A

ut ho

rit y

U nd

er w

rit er

F ai

ls to

F ol

lo w

D ep

ar tm

en t

G ui

de lin


U nd

er w

rit er

G iv

es in

to M

ar ke

t P re

ss ur


U nd

er w

rit er

P ric

in g

D ec

is io

n O

ve rr

id de


Fa ilu

re o

f P M

M od

el to

A cc

ur at

el y

P re

di ct

L os

s R

at io


O th

er U

nd et

ec te

d S

ys te

m E

rr or


F la

w ed

A na

ly tic

al To

ol s

(R at

e/ R



S up

er vi

so ry


ev ie

w o

r O

ve rs

ig ht

F ai

lu re

C on

ce pt

ua l

W ea

kn es

se s


th e

U nd

er w

rit in

g G

ui de

lin es


ui te

R is


R eg

ul at

or y

R es

is ta

nc e

E ac

h e

n d

e ve

n t

sh o

w n

in t

h e

b o

tt o

m re

ct an

g u

la r

b ox

es w

ill h

av e

it s

o w

n s

er ie

s o

f m

it ig

at io

n a

ct io

n s

d es

ig n

ed to

li m

it t

h e

p o

ss ib

ili ty

o f

o cc

u rr

en ceN C


M is

ca lc

ul at

io n

O th

er U

nd et

ec te

d M

an ag

em en

t Fa

ilu re


U nd

er w

rit er

’s A

na ly

si s

is F

la w

ed or

In co

m pl

et e

M al

fe as

an ce

o r

E th

ic al

L ap

se s

E xh

ib it

11 .7

Pr ic

in g

E rr

or Fa

ul tT

re e


222 Implementing Enterprise Risk Management

It is the policy of WCF senior management to identify risk exposures that represent a potential “material” loss to the Company with an occurrence probability of “moderate” or higher. Material loss is defined as >5% of specific company surplus, or Departmental budget. In addition, management will identify correlated risks that, occuring simultaneously, would trigger either of these or an income statement loss greater than 10% of annul premium.

Risk Analysis Worksheet


Prob. Score Sev. Score Total Score

Company, Department, or Subsidiary:











Proposed Action, Product, or Operational Change:

Potential Risks

Incident or expsoure probability descriptions Incident or exposure severity descriptions

Very Low (1): Improbable, no prediction confidence

Low (2): Remote, may occur once every 10-50+ years

Moderate (3): Occasional, may occur once every 3-10 years

High (4): Probable, may occur once every 2-5 years

Very High (5): Frequent, could occur annually

Potential risks scoring 6 or greater must have completed mitigation plans.

Slight Loss (1): Inconsequential with respect to financial, personnel, or brand damage. Less than 1% of surplus or $10M loss or less

Medium Loss (2): Important financial, personnel, or brand damage; 5% or more of surplus or $11M-$25M loss.

Material Loss (3): Material damage to financial strength, personnel, or brand; 10% or more of surplus or a $26M-$50M loss.

Large Loss (4): Significant damage to financial strength, personnel, or brand; 10% more of surplus or a $51M-$75M loss, could damage stakeholder confidence.

Very High Loss (5): Catastrophic impact on solvency, brand or personnel; 50% or more of surplus, greater than a $75M loss, would damage stakeholder confidence.

Spaces requiring input are shaded.

Mitigation Plans and Risk Owners (Attach additional documentation as needed)

Expected Value of Action

Implementation Costs

Completed by: Dept. SVP: Dept. Manager or VP: CEO: Chief Risk Officer:

Exhibit 11.8 Risk Analysis Worksheet


WCF Group—Risk Assessment Framework February 2014

In order to protect our assets, our employees and our customers, WCF is com- mitted to excellence and consistency in risk assessment and risk management. We are creating a risk assessment process that is transparent, scalable and pro- ductive. An effective process is one that promotes a thorough analysis and pro- vides a framework for successful execution of the initiative.

Principle Based Format

The following questions should be addressed in a single document for new ventures or initiatives meeting the risk assessment “trigger”:

1. Why do we need to take this step at this time and what are the expected costs and benefits?

2. What are the key risks (financial, operational, market, strategic, etc.) involved in the initiative?

3. How will each risk be mitigated? (Identify the specific controls to be applied.)

4. What are the most likely outcomes of the venture, as well as, the worst and best case scenarios?

Examples of initiatives triggering a risk assessment

1. Significant pricing changes, e.g. refiling Loss Cost Modifiers. 2. Legislative initiatives proposed by WCF. 3. Changes in commission structure. 4. IT software or hardware purchases in excess of $500,000. 5. Changes in claim reserving methodology or claims settlement policy. 6. Investment initiatives requiring a change in investment policy and/or

including a commitment of assets of $20,000,000 or more. 7. Other non-investment initiatives requiring a financial commitment

greater than $500,000. 8. Significant changes to our reinsurance structure or policy.

Approval and follow up

1. The risk assessment should be completed prior to the initiative’s pre- sentation to senior management or the Board for approval with a copy provided to the Chief Risk Officer.

2. At reasonable milestones, and at the conclusion of the project, the CRO will follow up with the project leaders to assess: (A) Are the original goals of the initiative being met? (B) Are actual costs in line with expected costs?

224 Implementing Enterprise Risk Management

(C) Are the risk mitigation strategies being executed successfully? (D) Would we make the same decision if we had it to do over again?

THE FUTURE At the time of the preparation of this chapter, WCF is analyzing the results of its second employee survey (see 2013 All-Employee ERM Survey). The questions in the survey were reviewed with both the IRC and the Board Risk Oversight Committee prior to the survey, and again, about half of the company’s 300+ employees have responded. WCF is trying to ascertain whether it is truly develop- ing a risk-sensitive culture and whether it has any barriers to the free expression of concerns and ideas. This desire for transparency and openness has been clearly and publicly articulated by both the president and the chairman. Analysis of the survey results, when completed, will be presented to the board.

2013 All-Employee ERM Survey

� Are there any risks the company faces that you don’t feel are being ade- quately addressed?

� Do you feel comfortable raising concerns about risk at WCF and do you feel they will be taken seriously?

� What should be done to help employees carefully consider risks, com- municate concerns, and take appropriate actions to mitigate risks?

� Are there areas of WCF’s Enterprise Risk Management Program that you would like to know more about?

� Name (optional)

The question of how much is enough is one WCF continues to grapple with. For better or worse, it is one in which both its regulator and its rating agency are giving specific direction as well. In the past couple of years A.M. Best has become increasingly clear regarding its expectations of the companies it is rating. Speaking at an industry conference in the spring of 2012, Group Vice President Ed Easop outlined an approach of generally matching ERM expectations to the general risk profile of the company. Where a carrier’s ERM risk capabilities did not measure up to its risk profile, its rating might be notched down or capital requirements might be raised. If a carrier’s capabilities matched or exceeded its risk profile, more favorable ratings treatment and lower capital requirements would be likely.

More recently A.M. Best addressed this in greater detail at its annual confer- ence in March 2013. A.M. Best indicated that although the property-casualty indus- try is making progress in developing ERM programs, information gleaned from its supplemental risk questionnaires leaves little doubt that the industry has a long


way to go. The rating agency also spelled out in great detail the underlying char- acteristics of its ERM rating levels of superior, strong, good, and weak in 17 key risk management areas. WCF will have its annual rating discussion meeting with A.M. Best in late fall 2013. It will be interesting to receive feedback in those meetings regarding the rating agency’s perception of the WCF risk profile and the adequacy of WCF’s efforts to date.

Since 2013, the state regulator, the Utah Department of Insurance, has not engaged WCF on this subject, but that is expected to change. As a member of the National Association of Insurance Commissioners (NAIC), it is aware of that orga- nization’s adoption in September 2012 of the Risk Management and Own Risk and Solvency Assessment (ORSA) model legislation. This model law is effective for adoption by state legislatures in 2015. Among other things, the Act requires that “An insurer shall maintain a risk management framework to assist the insurer with identifying, assessing, monitoring, managing, and reporting on its material and relevant risks. This requirement may be satisfied if the insurance group of which the insurer is a member maintains a risk management framework applicable to the operations of the insurer.”2 At this time, WCF meets the exemption require- ment due to premium volume written, but the Act clearly sets out standards of best practice that should be considered.

Management has committed to, and the board expects, continued develop- ment of the ERM program and culture. This must be done to a level that matches WCF’s risks and ensures it will always be able to discharge the long-term respon- sibilities it has to policyholders and injured workers. The depth and complex- ity of the ERM program will be determined through discussion and consultation between management and the board. WCF’s mission is excellence.

QUESTIONS 1. What skill set or industry experience would be most valuable for a CRO to acquire? 2. If a Board has an audit, investment, and risk committee how should they work together

and what would be an appropriate division of duties? 3. Should the CRO’s role be a directing or a counseling one? How would this vary in small,

medium, or large companies? 4. What would the ideal working relationship be between the CRO and CFO? 5. How should the Board and CEO evaluate a CRO’s performance and contribution to the


NOTES 1. Bradford, Dallas. June 2013. Written comments from WCF Board Chair Dallas Bradford

to author. 2. National Association of Insurance Commissioners. 2012. “Risk Management and Own

Risk and Solvency Assessment Model Act.”

ABOUT THE CONTRIBUTOR Dan Hair is the Chief Risk Officer (CRO) at Workers Compensation Fund, located in Utah. He joined WCF in 2005 after a 25-year career with Zenith Insurance

226 Implementing Enterprise Risk Management

Company. As CRO, Dan is responsible for the enterprise risk management efforts of WCF and reports to the president and CEO. He works directly with the board of directors and the Board Risk Oversight Committee. Dan was educated at UCLA and USC, has an insurance operations and safety engineering back- ground, and has taught and published in the areas of risk and risk management for years.


Measuring Performance at Intuit A Value-Added Component in ERM Programs

JANET NASBURG Chief Risk Officer, Intuit Inc.

Intuit started small in 1983 with Quicken personal finance software, simplifyinga common household dilemma: balancing the family checkbook. Today, we’veimproved the lives of more than 50 million people, and our annual revenue exceeds $4 billion. We are publicly traded with the symbol INTU on the NASDAQ Stock Market, and are regularly recognized as one of the best places to work in locations around the world.

Our flagship products—QuickBooks, TurboTax, Quicken, and Mint—define our commitment to revolutionize the way people manage their personal finances, run small businesses, and pay employees. Our lineup of tax preparation products helps individuals and small business owners easily and accurately file their own taxes. And working with accountants, we’ve become a staple of American small business, with a widespread and deep-rooted presence that’s second to none.

But we’re much more than that. Today, our expanding portfolio serves cus- tomers in North America, Europe, Singapore, and India. And our products have evolved from the desktop to the cloud, with many available both online and for mobile devices.

As the way we live and work evolves, we adapt our strategy to meet and lead these changes. No matter where you find us—and whether you use our products on your PC or mobile phone—we remain committed to creating new and easier ways for consumers and businesses to tackle life’s financial chores, giving them more time to live their lives and run their businesses. As our business and product lines grow beyond accounting and into new areas, we will build on our heritage of innovation. That’s not just our history. It’s our future.

INTUIT’S ERM JOURNEY Like most companies, Intuit’s enterprise risk management (ERM) journey began with the practice of risk management on an ad hoc basis. Organized efforts came into play only when a significant problem occurred. Problems identified


228 Implementing Enterprise Risk Management

were primarily operational in nature and were defined narrowly to the specific issue. Well-intentioned and committed teams would attack the problem, stopping everything to focus on and solve the problem. These teams would produce long lists of issues and potential mitigation steps—some significant and some minor— to be addressed. Once the immediate problem was solved, it was back to busi- ness as usual. This ad hoc approach was not only extremely inefficient but was also not producing a lasting framework that would allow risks to be managed intelligently. In 2009 Intuit established the foundation of the ERM program that is in place today. This foundation included an enterprise-wide common risk frame- work, annual assessment cycle, and integration into the strategic planning process.

At Intuit, our ERM program has focused not simply on building a process but on building a sustainable risk management capability. Process is a necessary component, but process alone will not build the capability; it will not ensure that risk management is an integral part of how the company operates. Establishing operating mechanisms, practices, and processes that can be maintained well into the future and drive continuous focus on risk management was an important first step. Once the process was solidly in place, focus shifted to building risk management capability. Robust processes for identifying risk, assessing risk, and monitoring risk management progress helped our business leaders to develop and implement risk management activities as part of the normal operating pro- cesses of the company instead of reacting to risk on an ad hoc basis. This regular rhythm of risk management has built a strong risk management capability across the company.

Underlying Intuit’s ERM program are some core principles that have brought Intuit’s program to the leadership level it is at today.

� A common risk framework enterprise-wide. The establishment of a common risk framework has enabled business lead- ers to speak about risks with a common language despite the differences in business lines.

� Assessing risks on an ongoing basis. A constant lens on the risk landscape increases agility to adapt to changes in our business and the environment in which we operate.

� Focusing on the most significant risks. Targeting attention and resources on those risks with the greatest impact on Intuit’s growth, product delivery, and operations drives progress.

� Clearly defined ownership and accountability for risk management. With appropriate oversight from the board and executive management, ownership and accountability for managing risk are the responsibility of business leaders across the company, thereby aligning ownership with lead- ers who are driving Intuit’s growth strategy and operational priorities.

� Performance measurement and monitoring. Continuously monitoring performance drives progress in risk mitigation and continuously strengthens risk management capability.

Intuit’s ERM program provides our business leaders with an understanding of current and emerging risks providing insights that inform strategic decisions. Each year the journey has continued to increase the level of risk intelligence across


the company by building risk management strength and continuously measuring risk management effectiveness.

ERM MATURITY MODEL ERM programs take time to establish and mature, and building the right founda- tion is critical.

Patience is not an absence of action; rather it is “timing”; it waits on the right time to act, for the right principles and in the right way.

–Fulton J. Sheen

Enterprise risk management programs are designed to drive identification of risks that may affect a company and management of those risks in order to enable achievement of the company’s objectives. As the level of risk management capabil- ity matures, the value of ERM becomes more visible and impactful. The stages of risk management maturity can be described in many ways, all of which generally fall into the following levels (see Exhibit 12.1):

� Ad hoc risk management. Risk Management activities are designed to address a specific problem or task, and not intended to be adapted for wider application.

� Targeted risk management. Independent risk management activities are focused on a limited set of specific risk areas.

� Integrated risk framework. A common, repeatable enterprise framework is used for assessment, own- ership and accountability, and reporting of risk management performance.

Ad-hoc Risk


Targeted Risk


Integrated Risk


Risk Management Capability

S ta

ke h

o ld

er V

al u


Risk Intelligent

Risk Leadership

Exhibit 12.1 Enterprise Risk Management Maturity Model

230 Implementing Enterprise Risk Management

� Risk intelligent. Established processes are used to continuously measure and monitor risk management effectiveness and drive optimal performance.

� Risk leadership. Risk management is seamlessly embedded in strategic decision making.

The speed at which a company moves through each level of maturity will vary, as it must be tailored to the individual needs and capacity for change of the company.

BENEFITS OF MEASURING PERFORMANCE IN ERM PROGRAMS Performance measurement is not new. Measuring performance provides insights into where additional attention may be required or potential opportunities exist. Understanding the risk landscape enables business leaders to formulate and exe- cute strategies informed by potential pitfalls and opportunities. The use of mea- surements to monitor current significant risks, highlight emerging risks, and understand the impact of both on company strategies and objectives is a key component of any ERM program.

The type of performance measures used varies based on the objective. Key risk indicators (KRIs) can be used to understand how potential emerging risks or trends may impact current risks, business opportunities, and business strategies. Key performance indicators (KPIs) can be used to measure the effectiveness of risk management activities. Both of these types of indicators are important, and using a combination of KRIs and KPIs can increase the value achieved from an ERM program.

Using Key Performance Indicators to Measure Risk Management Effectiveness

Key performance indicators are used to measure and monitor business strategies and business operations. Performance measurement provides information on the gaps between actual performance and targeted performance. It can be used to determine organizational effectiveness and operational efficiency. Measuring and monitoring risk management effectiveness is no different from measuring other performance. Measures are identified, expected targets or thresholds are estab- lished, and a starting point or baseline is set. Key performance indicators can take many forms:

� Qualitative and quantitative indicators. Qualitative measures are based on subjective characteristics or qualities rather than on a quantity or measured value. Quantitative measures are based on objective, quantifiable data, like percentages, counts, and ratios. The difference between qualitative and quantitative measures can be con- fusing, and there is often debate over which is better; however, both can be equally useful, and many times a combination of qualitative and quantita- tive measures can provide a more holistic picture of performance.


� Leading and lagging indicators. Leading indicators are predictive in nature, like early warning signals. They can highlight that an overall change in performance level is expected based on specific triggers that are monitored. Lagging indicators provide insights into the success or failure of an activity after it is complete.

� Input, process, and output indicators. These indicators are useful in evaluating an end-to-end process. Input indi- cators measure resources used in executing an activity. Process indicators measure efficiency or productivity. Output indicators measure the result of the process or activity.

In measuring risk management effectiveness, a combination of indicator types is often used. The biggest challenge in measuring performance is knowing what to measure. Selecting performance measures that cannot be gathered and tracked on an ongoing basis or selecting performance measures that are too complex for business leaders to understand their relevance will not provide value. To be most effective, key performance indicators need to be defined so that they are clear, meaningful, and measurable.

When defining KPIs for ERM, ensuring that the following four characteristics are incorporated can be helpful:

� Tangible. Tangible performance measures, aligned with the level of risk exposure that the company deems acceptable, provide true measures of risk management effectiveness, not just milestones in a risk management plan.

� Flexible. Flexible performance measures that can be adjusted to changes in the organization and risk landscape.

� Standardized. Common performance measures used enterprise-wide that provide a view of how each business line’s performance contributes to the aggregated risk exposure at the enterprise level.

� Outcome or objective focused. Performance measures that are aligned to a specific objective or desired outcome.

Exhibit 12.2 provides some examples of key performance indicators.

Exhibit 12.2 Key Performance Indicators

Examples of Key Performance Indicators

Percentage of customer attrition Percentage of employee turnover Profitability of customers by demographic segments Percentage of mission-critical business processes with tested contingency plans Current-period write-offs or fraud losses

232 Implementing Enterprise Risk Management

Analyzing Performance Data

Performance measurement alone is not enough to add value; learning from the information and applying that learning to drive changes that improve perfor- mance are important steps. Optimizing the benefits of performance measurement can be achieved by performing analysis of the data collected. Data analysis trans- forms the performance information making it useful input, which can help busi- ness leaders to make better risk-informed decisions. There are many types of anal- ysis that can be used, and the choice will vary based on the objectives of the analysis.

While this list is not exhaustive, here are some examples of commonly used analyses:

� Failure mode and effects analysis (FMEA). FMEA helps to identify potential failure points based on certain conditions. The consequences of failures are further analyzed to understand their impact on other parts of a system or process. FMEA can help to design more com- prehensive risk mitigation efforts.

� Regression analysis. Regression analysis provides information on the relationship between one dependent variable and one or more independent variables. This type of analysis can be helpful in understanding the correlation between different risks.

� Pareto analysis. Pareto analysis measures the frequency of issues, from most to least fre- quent. This type of analysis is useful in making decisions that provide the greatest results—for example, targeting resources to address issues in a spe- cific component of a process with the greatest number of errors or control failures.

� Root cause analysis. Root cause analysis is designed to identify and correct the fundamental cause of a problem. It helps focus remediation not on merely correcting symptoms but on preventing the recurrence of problems. This type of anal- ysis is especially useful as a method to proactively forecast probable events before they occur.

� Scenario analysis. Scenario analysis uses discrete scenarios to understand the potential out- come. Typically the worst case, best case, and most likely case are consid- ered. Single-point estimates or a Monte Carlo simulation model using a range of values can be used. This type of analysis is useful to enhance readi- ness and strengthen response capabilities.

� Benchmarking. Benchmarking compares a company’s current practices to best practices. This type of analysis facilitates development of strategies to improve pro- cesses and performance measures.

� Threat analysis. Threat analysis can be used to evaluate a broad spectrum of areas such as natural disasters, criminal activity, legal or regulatory factors, technology


trends, internal capabilities, and market forces. Using this type of anal- ysis to gain insights into potential threats is useful to enhance readiness and strengthen response capabilities, as well as to enhance risk mitigation strategies.

Analyses such as these can be used to perform a deep review of a specific risk area to understand effectiveness of current risk mitigation strategies, or can be used broadly to understand potential emerging risks.

Using Key Risk Indicators to Understand Potential New Risks or Changing Risks

Most organizations use key performance indicators to monitor progress in meet- ing corporate objectives. Those indicators provide valuable information, includ- ing insights into risks. However, key performance indicators primarily provide insights into risks already well known by the organization. With ever-changing business environments challenging companies to take a longer-term view into potential risks, there is increased focus on understanding emerging risks. Key risk indicators are used to provide an early warning signal by not just looking at current risks but looking for leading indicators or triggers in the business environment. These triggers can be used to develop strategies that better position the company to manage new risks as they arise. Development of risk indicators can come from analysis of previous risk events to understand their root cause and triggers that can be used in the future as risk indicators. External information, such as economic indicators, industry benchmarks and trends, competitor actions, and the like, can all be utilized in developing key risk indicators. Just as with key performance indi- cators, key risk indicators are most effective if they are tangible, flexible, standard- ized, and outcome or objective focused.

Exhibit 12.3 provides some examples of key risk indicators.

Exhibit 12.3 Key Risk Indicators

Examples of Key Risk Indicators

Industry trends in customer attrition Frequency of critical process failures Trends in gasoline or other critical commodity prices in relevant geographies Unexpected significant change in number of competitors or suppliers Spreads on debt for comparably rated companies

ERM PERFORMANCE MEASUREMENT AND REPORTING AT INTUIT Performance measurement in Intuit’s ERM program has been a journey of con- tinuous improvement. As ERM programs mature over time, increasing their com- plexity and value, performance measures and reporting must evolve as well. What gets measured at each level of maturity may vary greatly. The ERM performance

234 Implementing Enterprise Risk Management

measurement approach at Intuit has been continuously updated to keep it relevant and flexible with respect to the organization’s level of risk management maturity. At each stage in the evolution of ERM maturity, objectives and expectations are adjusted. In addition, the appropriateness of current metrics is evaluated given the constantly changing business environment.

First Evolution: ERM Process Adoption

In the early stages of ERM maturity at Intuit, performance measurement was focused on adoption of the ERM process. The objective was to ensure a robust process of risk identification and prioritization facilitating focus on the most sig- nificant risks. The measures at this point were twofold: process participation and risk assessment impact and likelihood. Reporting to executive management and the board included the results of the annual assessment, participation rates and heat maps, as well as an outline of strategies to improve the company’s top risks.

ERM Process Participation Participation in the process was targeted at senior leadership at both the company and business line levels. Business line leadership provided subject matter expertise and insights into the most significant risks facing their specific businesses. Exec- utive management provided an enterprise perspective. The desired participation rate target was 80 percent or greater. Participation rates were calculated at the individual business line level as well as at the company level. This may seem like a very simplistic measure, but you need to consider the level of risk management maturity that was in place at this point. Expecting business leaders to track com- plex measures when they are just beginning to build a risk management capability may be unrealistic. Measuring participation in the ERM process provided an indicator of risk awareness and risk management currently in place. This was an important benchmark. Since performance measurement provides information on the gaps between actual performance and targeted performance, this measure highlighted opportunities to help business leaders increase their risk focus and knowledge.

Risk Impact and Likelihood Intuit’s ERM program, like many other companies’ programs, includes an annual risk assessment. The annual risk assessment provides an enterprise-wide under- standing of key risks. Intuit conducts risk assessments at both the company level and on an individual business line level. The assessment solicits information from the company’s executive management on the impact and likelihood of risks affecting the organization’s strategies and objectives. Measuring impact and like- lihood is clearly defined and standardized, facilitating aggregation of the informa- tion received from participants across the company. Heat maps, as illustrated in Exhibit 12.4, are used to show the results of the assessment, and attention is then focused on the risks in the upper right-hand quadrant.


6 5

4 3




Im p

ac t


L o



H ig


Exhibit 12.4 Risk Impact and Likelihood Diagram

This type of performance measurement and reporting provided many benefits, including:

� Helping business leaders to understand the effect of risks on performance against strategic goals and objectives

� Targeting focus to the critical few, and in doing so accelerating progress on addressing these risks

� Identifying potential events or circumstances that may impede ability to optimize performance

Second Evolution: Risk Mitigation Progress Measurement

With the rhythm of an annual ERM assessment in place and top risks at the com- pany and business line level appropriately prioritized, the focus shifted to build- ing risk management strength. The objective was to ensure direct alignment of risk management activities and resources to the most critical issues identified as part of the assessment process. The focus of performance measurement was one of the top risks identified at the company and business line levels. Ownership and account- ability for the top risks are specifically designated to a senior leader at the company level or business line level. Performance measurement includes an indicator of the status of overall risk exposure, an indicator of current risk trending, as well as a separate measure tracking the progress on individual risk mitigation activities.

Exhibit 12.5 provides an example of the levels of status indicators. Quarterly ERM performance reporting is integrated into Intuit’s annual enter-

prise and business line strategic planning process and quarterly operating reviews. Exhibit 12.6 provides a sample business line top risk status report.

236 Implementing Enterprise Risk Management

Color Status of Risk Exposure Plan Status

Plan significantly at risk.

Some mitigation in place, stronger additional mitigation needed. Plans developed and some risk reduction occurring.

Managed well with appropriate mitigation in place. Risk has been reduced to an acceptable level.

Status not available.


Missing or ineffective mitigation and/or significant process breakdowns. Further action required.

Plan potentially at risk.

Plan not started.

Plan complete.

Plan on schedule.

Exhibit 12.5 Example of Levels of Status Indicators

This type of performance measurement and reporting provides many benefits, including:

� Demonstrating the breadth of top risk coverage with defined risk manage- ment plans

� Highlighting potential gaps in resources to execute mitigation activities � Providing transparency to risk management activities across the organiza-

tion and opportunities to leverage common risk management strategies and best practices

Exhibit 12.6 Sample Business Line Top Risk Status Report


Risk 1 Status

Status as of x period


Business Line 1

Business Line 2 Not measured

Business Line 3

Business Line 4

Business Line 5

Business Line 6

Business Line 7 Not measured

KPI / KRI 1 rating criteria example Medium Gray: ≤ X ………… Light Gray: Between x and x ……… Dark Gray: > x …………………

Exhibit 12.7 Sample Executive Dashboard

Third Evolution: Multidimensional Risk Management Performance Measurement

As Intuit’s program evolved, performance measurement and reporting focus moved from tracking progress on risk mitigation to a more holistic approach. The objective was to actively monitor the most important risks facing the company and ensure that business leaders were proactively adjusting strategies to balance managing these risks and leveraging the opportunities they provide. To this end, executive dashboards were developed, which use a combination of key perfor- mance indicators and key risk indicators. Aggregation of a number of different KPIs provides a multidimensional view of risk and an overall risk score. Standard metrics are used enterprise-wide to ensure that all business lines are aligned to the objectives. Additionally, an overall risk rating is assigned that demonstrates the collective effect of these activities on the risk exposure at the company level. Dash- boards for each of the company’s top risks and an overall summary are routinely reported to the board and executive management. Exhibit 12.7 provides a sample executive dashboard.

This type of performance measurement and reporting has provided many ben- efits, including:

� Providing visibility into business line risks to aid understanding of the cumulative impact of these risks on Intuit as a whole

� Enabling the company to drive focus and allocate resources to the highest- impact work, and to accelerate progress on specific risks by leveraging a rigorous program from the center and coordinated business line effort

238 Implementing Enterprise Risk Management


• Tactical activities to address current gaps

• Narrow scope

• Long road maps


• Better understanding of the risks and their effect on company growth

• Longer term view of strategies to address risk, with tighter timelines to accelerate progress

• Embrace Innovation

Exhibit 12.8 From Tactical Risk Management to Strategic Risk Management

� Driving the development and adoption of enterprise standards and best practices (e.g., hosting principles, security standards, technology principles)

As Intuit’s ERM program, and the approach to performance measurement and reporting, has matured, we have a higher bar for risk management—it is more strategic, and we have significantly improved execution. We have moved from tactical risk management to strategic risk management, as shown in Exhibit 12.8.

CONCLUSION This chapter has described the value of performance measurement as a component of ERM programs.

At Intuit, risk management is the responsibility of everyone in the organiza- tion, from the board and executive management all the way down to the individual employees. To ensure that risk management is effective, it must be a core business competency, and measuring performance facilitates tracking that the appropriate level of competency is achieved.

Intuit’s ERM program provides a rigorous and coordinated approach to assess- ing and responding to risks. It recognizes the upside opportunity and downside nature of risks. Routine performance measurement is a critical component of the program and not only ensures a focus on the most significant risks but also accel- erates progress on managing current and emerging risks and assuring alignment with strategic goals.

Performance is reviewed regularly with the Audit and Risk Committee of the board, and, as a result, feedback drives continuous innovation around per- formance measurement and reporting. ERM is viewed as an integral part of the company’s current operating model, and continuously improves enterprise-wide risk awareness, monitoring, and management.

QUESTIONS 1. How do Key Risk Indicators help companies identify emerging risks? 2. How do Key Performance Indicators help companies to manage existing risks?


3. If measuring performance is not a component of an ERM program, what is the effect on the overall quality of the program?

4. How can the Board be confident in the information reported on management’s progress in responding to significant risks?

ABOUT THE CONTRIBUTOR Janet Nasburg is Chief Risk Officer at Intuit, makers of QuickBooks, TurboTax, Quicken, and Mint. Intuit is committed to revolutionizing the way people man- age their small businesses and personal finances. Ms. Nasburg is responsible for driving Intuit’s enterprise risk management capability to ensure that the company appropriately balances opportunities and risks to achieve optimal business results. She reports routinely to the board of directors on the company’s risk landscape, risk tolerance, and emerging risks.

Ms. Nasburg has more than 30 years of experience in finance and risk manage- ment. She is on the executive committee of the Conference Board’s Strategic Risk Management Council, and is also a member of the Institute of Internal Auditors. She is a Certified Internal Auditor (CIA), Certified in Risk Management Assur- ance (CRMA), and Certified in Control Self Assessment (CCSA). She has a BS in agricultural economics and business management from the University of Califor- nia, Davis, and an MBA in finance from the Graduate School of Business, San Francisco State University.


TD Bank’s Approach to an Enterprise Risk Management Program PAUL CUNHA Vice President, Enterprise Risk Management for TD Bank Group

KRISTINA NARVAEZ President and Owner of ERM Strategies, LLC

This case study focuses on how TD Bank Group uses enterprise risk manage-ment (ERM) to grow profitably while keeping in mind the balance betweentaking and managing its risks. TD recognizes that having a strong risk culture and approach to risk management is fundamental to success. TD’s ERM approach is comprehensive and proactive. It combines the experience and special- ized knowledge of individual business segments, risk professionals, and the cor- porate oversight functions. It is based on enabling TD’s business to understand the risks it faces and to develop the policies, processes, and controls required to man- age them appropriately in alignment with the bank’s strategy and risk appetite.

BACKGROUND Headquartered in Toronto, Canada, with more than 85,000 employees in offices around the world, TD and its subsidiaries offer a full range of financial products and services to approximately 22 million customers worldwide through three key business lines:

1. Canadian retail, including TD Canada Trust, TD Auto Finance Canada, Canadian credit cards, Canadian wealth, and TD Insurance

2. Wholesale Banking, including TD Securities 3. U.S. retail, including TD Bank (“America’s Most Convenient Bank”), TD

Auto Finance U.S., U.S. wealth, and U.S. credit cards

As of April 30, 2014, TD had $896 billion (Canadian) in assets. TD also ranks among the world’s leading online financial services firms, with approximately eight million active online and mobile customers. It is the second-largest bank in


242 Implementing Enterprise Risk Management

Canada and the tenth-largest bank in the United States (by market capitalization). TD trades on the Toronto Stock Exchange and New York Stock Exchange under the symbol “TD.”

ERM at TD Bank

TD’s risk management approach is comprehensive with TD Bank’s Enterprise Risk Framework (ERF), reinforcing TD’s risk culture and ensuring that all stakeholders have a common understanding of how TD manages risk. The ERF addresses: (1) the nature of the risks to TD’s business strategy and operations; (2) how TD defines the types of risk it is exposed to; (3) risk management governance; and (4) how TD manages risk through processes that identify, measure, assess, control, and moni- tor risk. TD’s risk management resources and processes are designed to enable all of its businesses to understand the risks they face and to manage them within TD’s risk appetite.

TD’s Risk Appetite Statement is the primary means used to communicate how TD views risk and determines the risks it is willing to take in order to grow its busi- ness. TD takes into account its mission, vision, guiding principles, and strategy, as well as risk philosophy and capacity to bear risk, in defining its risk appetite.

TD takes risks required to build its business, but only if those risks:

� Fit its business strategy, and can be understood and managed � Do not expose the enterprise to any significant single-loss events � Do not risk harming the TD brand

In applying its risk appetite, TD considers both the current conditions in which it operates and the impact that emerging risks will have on TD’s strategy and risk profile. Adherence to the enterprise risk appetite is managed and monitored across TD and is based on a broad collection of principles, policies, processes, and pro- cedures, including risk appetite statements and related performance measures for major risk categories and the business segments.

At the enterprise level, metrics are tracked against key risks like capital ade- quacy, market risk, liquidity risk, credit risk, and operational risk. These metrics and compliance with the Risk Appetite Statement are monitored and reported by risk dashboards on an ongoing basis. To ensure that TD Bank’s Risk Appetite State- ment remains current and relevant, TD has established a Risk Appetite Governance Framework approved annually by the Risk Committee of the Board (RCoB). This framework describes TD’s processes, structure, and responsibilities to develop, govern, and approve the Enterprise and Business Segments Risk Appetite State- ments and the requirements for monitoring and escalating exceptions. Specifically, the governance process provides that:

� The Enterprise and Business Segments Risk Appetite Statements and related metrics must be reviewed at least annually.

� Updates and amendments are developed by Risk Management with input from business segments, corporate functions, the senior executive team, and the RCoB.


� The TD Enterprise Risk Appetite Statement and related metrics must be reviewed and approved by the RCoB annually.

� The Business Segment Risk Appetite Statements must be recommended by each of the Business Group heads and approved by the president and chief executive officer (CEO) and chief risk officer (CRO) annually.

� Performance against the Enterprise and Segment Risk Appetite Statements must be monitored and reported on an ongoing basis.

Understanding an Organization’s Risks Helps Reinforce the Risk Culture

Each of the ERF’s components reinforces the desired risk culture of TD Bank, and they are all equally necessary to ensure that TD successfully manages its risk. The ERF sets the direction of how TD manages enterprise risk. The TD Risk Inventory sets out TD’s major risk categories and related subcategories to enable a consistent language and approach to measuring, reporting, and disclosing TD’s risks. This inventory of risks facilitates consistent enterprise risk identification and becomes the starting point to develop the appropriate risk strategies and processes to man- age TD’s risk exposure. Definitions of common terms include:

Strategic risk is the potential for financial loss or reputational damage arising from ineffective business strategies, improper implementation of business strategies, or a lack of responsiveness to changes in the business environ- ment. The CEO manages strategic risk supported by the members of the senior management team. Together they define the overall strategy, in con- sultation with and subject to approval by the board.

Credit risk is the risk of loss if a borrower or counterparty in a transaction fails to meet its agreed payment obligations. Credit risk is one of the most significant and pervasive risks in the banking sector. Every loan, exten- sion of credit, or transaction that involves transfer of payments between TD and other parties or financial institutions exposes TD to some degree of credit risk. The responsibility of credit risk management is enterprise- wide. Each business segment’s credit risk control unit is primarily respon- sible for credit decisions and must comply with established policies, expo- sure guidelines, and credit approval limits.

Market risk is the risk of loss in financial instruments or the balance sheet due to adverse movements in market factors such as interest and exchange rates, prices, credit spreads, volatilities, and correlations. TD is exposed to market risk in its trading and investment portfolios, as well as through its nontrading activities. The primary responsibility for managing market risk in trading activities lies with Wholesale Banking with oversight from Market Risk Control within Risk Management.

Liquidity risk is the risk of having insufficient cash or collateral resources to meet financial obligations without raising funds at unfavorable rates or being unable to sell assets at a reasonable price in a timely manner. Demand for cash can arise from deposit withdrawals, debt maturities, and

244 Implementing Enterprise Risk Management

commitments to provide credit or liquidity support. The Asset/Liability and Capital Committee oversees the liquidity risk management program.

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. Operational risk is embedded in all of the bank’s business activities, including the prac- tices for managing other risks such as credit, market, and liquidity risk. Operational Risk Management is an independent function that designs and maintains TD’s overall operational risk management framework. This framework sets out the enterprise-wide governance processes, policies, and practices to identify, assess, report, mitigate, and control operational risks.

Insurance risk is the risk of financial loss due to actual experience emerging differently from expected in insurance product pricing or reserving. This could be due to adverse fluctuations in timing, actual size, and/or fre- quency of claims mortality, morbidity, policyholders’ behavior, or asso- ciated expenses incurred. Senior management within the insurance busi- ness units has primary responsibility for managing insurance risk with oversight by the Chief Risk Officer for Insurance, who reports into Risk Management.

Legal, regulatory, and compliance risk is the risk of negative impact to busi- ness activities, earnings or capital, regulatory relationships, or reputation as a result of failure to comply with or to adapt to current and chang- ing regulations, laws, industry codes, rules, or regulatory expectations. Legal risk includes the potential for civil litigation or criminal or regula- tory proceedings being commenced against the bank that, once decided, could materially and adversely affect its business, operations, or financial condition. Business segments and corporate areas are responsible for man- aging day-to-day regulatory and legal risk, while the Legal, Compliance, Global Anti-Money Laundering, and Regulatory risk groups assist them by providing advice and oversight.

Capital adequacy risk is the risk of insufficient capital available in relation to the amount of capital required to carry out the bank’s strategy and to satisfy regulatory capital adequacy requirements. Capital is held to protect the viability of the bank in the event of unexpected financial losses. The board of directors has the ultimate responsibility for overseeing adequacy of capital and capital management. The board reviews the adherence to capital limits and targets, and reviews and approves the annual capital plan and the Capital Management Policy.

Reputational risk is the potential that stakeholder impressions, whether true or not, regarding an institution’s business practices, actions, or inactions, will or may cause a decline in the institution’s value, brand, liquidity, or customer base. TD Bank’s enterprise-wide Reputational Risk Manage- ment Policy is approved by the Risk Committee of the Board. This pol- icy sets out the framework under which each business unit is required to implement a reputational risk policy and procedures. These include designating a business-level committee to review reputational risk issues and to identify issues to be brought to the Enterprise Reputational Risk Committee.


Risk Governance Structure

TD’s risk governance structure emphasizes and balances strong central oversight and control of risk with clear accountability for, and ownership of, risk within each business unit. Under TD’s approach to risk governance, the business owns the risk that it generates and is responsible for assessing risk, designing and implementing controls, and monitoring and reporting its ongoing effectiveness to safeguard TD from exceeding its risk appetite.

TD’s risk governance model includes a senior management committee struc- ture to support transparent risk reporting and discussion with overall risk and control oversight provided by the board and its committees. The CEO and Senior Executive Team determine TD’s long-term direction within the bank’s risk appetite and apply it to the businesses. Risk Management, headed by the Group head and chief risk officer (CRO), sets enterprise risk strategy and policy and provides inde- pendent oversight to support a comprehensive and proactive risk management approach for TD.

TD employs a “three lines of defense” model that describes the roles of the business, governance, risk, and oversight groups in managing TD Bank’s risk pro- file. The first line of defense is the business and corporate line of accountabilities and includes the following:

� Managing and identifying risks in day-to-day activities � Ensuring that activities are within TD’s risk appetite and risk management

practices � Designing, implementing, and maintaining effective internal controls � Monitoring and reporting on the risk profile

The second line of defense deals with setting standards and challenging busi- ness assumptions to improve governance, risk, and control groups’ responsibilities and accountability. These include the following:

� Establishing enterprise governance, risk, and control strategies and practices � Providing oversight and independent challenge to the first line through

review, inquiry, and discussion � Developing and communicating governance, risk, and control policies � Providing training, tools, and advice to support policy compliance � Monitoring and reporting on compliance with risk appetite and policies

The third line of defense is independent assurance through the internal audit department, which allows for the following:

� Verifying independently that TD’s ERF is operating effectively � Validating the effectiveness of the first and second lines of defense in fulfill-

ing their mandates and managing the risk profile

The RCoB oversees TD’s risk direction and the implementation of an effective risk management culture and internal control framework across the

246 Implementing Enterprise Risk Management

enterprise. In support of this oversight, the RCoB reviews, challenges, and approves certain risk policies while also reviewing and approving TD’s Risk Appetite Statement.

TD’s executive committees provide oversight at the most senior level and support management by guiding, challenging, and advising executive decision makers. The following committees oversee governance, risk, and control activities relating to the bank’s key risks, and review and monitor the risk strategies and associated risk activities and practices:

� The Enterprise Risk Management Committee oversees the management of major enterprise governance and risk and control activities.

� The Asset/Liability and Capital Committee (ALCO) oversees the manage- ment of TD’s nontrading market risk and each of its consolidated liquidity, funding, investments, and capital positions.

� The Operational Risk Oversight Committee oversees the strategic assess- ment of TD’s governance, control, and operational risk structure.

� The Disclosure Committee ensures that appropriate controls and procedures are in place and operating to permit timely accurate, balanced, and compli- ant disclosure to regulators, shareholders, and the market.

� The Reputational Risk Committee ensures that corporate or business ini- tiatives with significant reputational risk profiles have received adequate review for reputational risk implications prior to implementation.

The Risk Management function, headed by the CRO, provides independent oversight of risk governance and control, and is responsible for establishing risk management strategy, policies, and practices. Risk Management’s primary objective is to support a comprehensive and proactive approach to risk man- agement that promotes a strong risk management culture. Risk Management works with the business segments and other corporate oversight groups to estab- lish policies, standards, and limits that align with TD’s risk appetite, and moni- tors and reports on existing and emerging risks and compliance with TD’s risk appetite.

Each business segment has an embedded risk management function that reports directly to a senior risk executive, who in turn reports to the CRO. This structure supports an appropriate level of central oversight while emphasizing ownership and accountability for risk within the business segment. Business man- agement is responsible for recommending the business-level risk appetite and met- rics, which are reviewed and challenged as necessary by Risk Management and ultimately approved by the CEO.

TD’s audit function provides independent assurance to the board of the effectiveness of risk management, control, and governance processes, employed to ensure compliance with TD’s risk appetite. Internal Audit reports on its evaluation to management and the RCoB. The Compliance group establishes risk-based programs and standards to proactively manage known and emerging compliance risks across TD to provide independent oversight and delivers oper- ational control processes to comply with the applicable legislation and regulation requirements.


The Global Anti Money Laundering (AML) group establishes a risk-based pro- gram and standards to proactively manage known and emerging money launder- ing compliance risks across TD. The AML group provides independent oversight and delivers operational control processes to comply with the applicable legisla- tion and regulatory requirements. The Treasury and Balance Sheet Management (TBSM) group manages, directs, and reports on TD’s capital and investment posi- tions, interest rate risk, liquidity and funding risks, and the market risks of TD’s nontrading bank activities. The Risk Management function oversees TBSM’s capi- tal and investment activities.

Risk Identification, Assessment, and Reporting

TD applies the following principles to how it manages risks:

� Enterprise-wide in scope. Risk management spans all areas of TD, including third-party alliances and joint venture undertakings and all boundaries, both geographic and regulatory.

� Transparent and effective communication. Matters relating to risk are commu- nicated and escalated in a timely, accurate, and forthright manner.

� Enhanced accountability. Risks are explicitly owned, understood, and actively managed by business management and all employees, individually and col- lectively.

� Independent oversight. Risk policies, monitoring, and reporting will be estab- lished independently and objectively.

� Integrated risk and control culture. Risk management discipline is integrated into TD’s daily routines, decision making, and strategy.

� Strategic balance. Risks are managed to an acceptable level of exposure, rec- ognizing the need to protect and grow shareholder value.

Risk identification and assessment are focused on recognizing and under- standing existing risks, risks that may arise from new or evolving business ini- tiatives, and emerging risks from the changing environment. TD looks to establish and maintain integrated risk identification and assessment processes that enhance the understanding of risk interdependencies, consider how risk types interact, and support the identification of emerging risks.

Depending on the risk type, the risk identification and assessment process may be developed and/or controlled by the business segment with oversight provided by Risk Management, or it may be controlled by a function within Risk Manage- ment. For example, credit risk assessment processes developed by a business seg- ment exist for both retail and nonretail clients. The nature of those processes may vary by and/or within a business segment depending on the specific nature of the risk. Risk Management’s role in these processes is to provide oversight and chal- lenge to ensure that the analysis and results produced by the process focus on the relevant issues.

Other risk assessment identification and assessment processes that can and/or need to be applied on a consistent basis across TD have been developed by Risk Management at the enterprise level. Examples of such processes would include the Risk and Control Self-Assessment (RCSA) report, the Emerging Risk Identification

248 Implementing Enterprise Risk Management

process, scenario analysis and stress testing, and the Internal Capital Adequacy Assessment Process (ICAAP).

Risk Measurement

The ability to quantify risks is also a key commitment of TD’s risk management processes. These processes align with regulatory requirements for capital ade- quacy, leverage ratios, liquidity measures, stress testing, and maximum credit exposure guidelines. TD has a process in place to quantify risks to provide accurate and timely measurements of the risks it assumes.

In quantifying risk, TD uses various risk measurement methodologies, includ- ing value at risk (VaR) analysis, scenario analysis, stress testing, and limits. Other examples of risk measurements include credit exposures, provision for credit losses, peer comparisons, trending analysis, liquidity coverage, and capital ade- quacy metrics. TD also conducts structured Risk and Control Self-Assessment (RCSA) programs and monitors internal and external risk events. This allows TD to identify, escalate, and monitor significant risk issues as needed.

TD’s Enterprise-Wide Stress Testing involves the development, application, and assessment of severe but plausible stress scenarios on earnings, liquidity, and capital of the bank. It enables senior management and the board and its commit- tees to identify and articulate enterprise-wide risks and understand potential vul- nerabilities for TD. It informs and supports risk appetite, capital adequacy, and liquidity requirements, providing a framework to assess emerging, concentration, and contagion risks.

Risk Control

TD’s risk control processes are established and communicated through risk com- mittees and approved policies, procedures, and control limits. Policies are used as a key risk control tool to provide consistency, predictability, and alignment with risk appetite by communicating the principles, rules, and limits to guide and determine decisions and behaviors. TD’s Policy Governance Framework provides a common structure and requirements for the consistent development, implemen- tation, approval, and management of policy at TD.

TD’s approach to risk control includes risk and capital assessments to appropriately capture key risks in TD’s measurement and management of cap- ital adequacy. This involves the review, challenge, and endorsement by senior management committees of the ICAAP practices. The Internal Control Frame- work describes enterprise principles governing internal control and management accountability to own and manage risk across the enterprise by practicing ongo- ing risk and control self-assessment; designing, implementing, and monitoring the effectiveness of a comprehensive program of internal control; and responding in a timely manner to control weaknesses identified by management, governance, risk and control groups, Internal Audit, or other parties.

In recognition of the importance of technology risk control and management, TD has established the Technology Risk Management and Information Security Program, which is designed to reduce business risk with technology controls, and to protect the bank, its customers, and its employees. This enterprise-wide program


is delivered through governance and policy setting, along with the Technology Risk Assessment and Control Framework that generates awareness, communica- tions and ongoing assessments, information security architecture and strategy, and vulnerability and incident management.

Risk Monitoring and Reporting

TD monitors and reports on risk levels on a regular basis to senior management, the RCoB, and the board. Complementing regular risk monitoring and reporting, ad hoc risk reporting is provided as appropriate for new and emerging risk or any significant changes to the bank’s risk profile. Risk-specific reporting is also in place as described in the relevant risk-specific frameworks.

TD’s risk dashboards provide a comprehensive quantitative and qualitative assessment of key risk types across the enterprise. The risk dashboards reflect established guidelines and risk tolerance based on TD policies that encompass key aspects of risk to the businesses.

TD measures management’s performance against risk appetite using the Risk Appetite Scorecard, which is a consolidated assessment of enterprise and busi- ness segment risk performance measured against risk appetite metrics. In com- pleting the Risk Appetite Scorecard, TD Risk Management assesses various fac- tors to determine whether the bank takes risks consistent with the Risk Appetite Statement and whether the risk level changed in the businesses as a result of man- agement actions or external factors. This annual assessment of management’s per- formance against TD’s risk appetite is used as a key input into compensation deci- sions.

Extensive external reporting is produced to comply with legal and regulatory requirements. TD also discusses the ERF and related risk management practices in the Management Discussion and Analysis (MD&A) section of its annual report. All forward-looking statements to external stakeholders included in the MD&A are, by their very nature, subject to inherent risks and uncertainties, general and specific, which may cause the bank’s actual results to differ materially from the expectations expressed in the forward-looking statements.

CONCLUSION TD Bank’s earnings are affected by the general business and economic conditions in Canada and the United States. These conditions include short-term and long- term interest rates, inflation, fluctuations in debt and capital markets, consumer debt levels, government spending, exchange rates, the strength of the economy, threats of terrorism, civil unrest, the effects of public health emergencies, the effects of disruptions to public infrastructure, and the level of business conducted in the regions where the bank operates.

TD Bank employs an ERM framework that emphasizes and balances central oversight and control of risk with clear accountability for and ownership of risk within each business segment. TD’s approach to ERM is based on six key princi- ples: enterprise-wide in scope, transparent and effective communication, enhanced accountability, independent oversight, integrated risk and control culture, and strategic balance.

250 Implementing Enterprise Risk Management

QUESTIONS 1. How does an ERM program help an organization to better understand their risk culture? 2. How would you describe TD Bank’s risk profile to a financial analyst on Wall Street? 3. What are the determining factors in deciding which risks TD can take? 4. How does TD measure the risks in their organization?

REFERENCES TD Bank. 2012. ERM Framework, June. TD Bank. 2012. Management and Decision Analysis Report.

ABOUT THE CONTRIBUTORS Paul Cunha is Vice President, Enterprise Risk Management, at TD Bank. He grad- uated from Wilfrid Laurier University with an honors bachelor of business admin- istration and is a CFA charterholder. During his career at TD Bank, he has spent time in risk management, internal audit, retail banking, commercial banking, and corporate and investment banking.

Kristina Narvaez is the president and owner of ERM Strategies, LLC. She grad- uated from the University of Utah in environmental risk management and then received her MBA with two advanced certificates in finance and information tech- nology from Westminster College. She is a two-time Spencer Education Founda- tion Graduate Scholar from the Risk and Insurance Management Society, and has published more than 25 articles and papers on topics relating to enterprise risk management and board risk governance.

Note: The material contained in this chapter represents the views of the authors and not necessarily those of the TD Bank Group.


Linking ERM to Strategy and Strategic Risk Management


A Strategic Approach to Enterprise Risk Management at Zurich Insurance Group LINDA CONRAD Director of Strategic Business Risk at Zurich Insurance Group

KRISTINA NARVAEZ President and Owner of ERM Strategies, LLC

This case study describes how the Zurich Insurance Group has implementedand evolved its enterprise risk management (ERM) approach for more than10 years across the globe. It describes how Zurich has organized its gov- ernance structures and ERM champions to help integrate ERM into the business model that focuses on promptly identifying, measuring, managing, monitoring, and reporting risks that affect the achievement of strategic, operational, and finan- cial objectives. This includes adjusting their risk profiles to be in line with Zurich’s stated risk tolerance to respond to new threats and opportunities in order to opti- mize returns.

ENTERPRISE RISK MANAGEMENT AT ZURICH As a large global insurance carrier, Zurich Insurance Group has relied on its ERM program for more than 10 years as a means to help Zurich remain profitable. With over 60,000 employees around the world and serving customers in more than 170 countries and territories, Zurich is exposed to a wide range of risks from its cus- tomers to its own operations. Yet Zurich recognizes that taking the right risks at the right time is a necessary part of growing and protecting shareholder value. Nat- urally, Zurich aims to capitalize on appropriate market opportunities that could attract the best talent and investor capital. To achieve this, Zurich utilizes insight from its ERM program to help balance growth opportunities with the reality that it is operating in a complex world economy.

ERM not only is embedded in Zurich’s business, but is also aligned with its strategic and operational planning and budgeting process. Zurich assesses risks systematically and from a strategic perspective through its proprietary tools that allow it to identify and then evaluate the probability of a risk scenario occurring,


254 Implementing Enterprise Risk Management

as well as the severity of the consequence should it occur. Zurich then develops, implements, and monitors appropriate improvement actions. Its ERM tools are integral to how Zurich deals with change, by helping to evaluate strategic risks as well as risks to its reputation. At the senior management level, the ERM process is annually reviewed and tied to the strategic planning process, but is also embedded in the ongoing business.

Listed here are Zurich’s major ERM objectives, and a tangible proof point:

� Protect the capital base by monitoring that risks are not taken beyond Zurich’s risk tolerance.

� Enhance value creation and contribute to an optimal risk/return profile by providing the basis for efficient capital deployment.

� Support Zurich’s decision-making processes by providing consistent, reli- able, and timely risk information.

� Protect Zurich’s reputation and brand by promoting a sound culture of risk awareness and disciplined and informed risk taking.

Tangible Results

By aligning ERM with its business strategy, Zurich has been able to use certain tools to create new value to its organization in a variety of areas. Zurich’s ERM program has sustained business growth throughout the recession, contributing to more than 40 consecutive quarters of growth. One way it added value through ERM was when Zurich introduced an enhanced operational risk management framework. One business unit reduced operational risk-based capital (RBC) consumption by 21.7 percent when Zurich moved from an asset-based to a risk-based approach for operational risk quantification. Tools such as Total Risk Profiling (TRP, described later in this chapter) and the business unit then identified high risk exposures, per- formed a deeper assessment and developed mitigation measures, The business unit experienced an additional reduction of 28.9 percent in operational risk cap- ital consumption the following year. Operational risk capital not consumed was then available to fund profitable growth for Zurich

Optimizing the Risk and Reward Balance at Zurich

To consistently achieve the right balance between risk and reward to optimize cap- ital, many corporate leaders around the world have adopted ERM within their organizations. Zurich has a well-established ERM program, which it sees as a crit- ical component to its success. Zurich’s comprehensive ERM and risk tolerance framework links risk taking, strategic planning, and operational planning with a comprehensive risk limit system. It enables active risk-taking within a consistent framework across the entire organization. It also allows for the flexibility to either increase or limit risk levels as appropriate for specific applications, geographies, or business units on a case-by-case basis, in accordance with Zurich’s risk policy.

Global businesses like Zurich are increasingly focused on the challenge of map- ping and managing their risk profiles, looking beyond a single dimension to under- stand the complex interactions between many different types of risks. Zurich’s risk landscape outlines the number of risks, types of risks, and potential effects of those


risks to the organization. This outline supports each business unit within Zurich as they strive to anticipate additional costs or disruption to its operations. Also, it describes the willingness of Zurich to take risks and how those risks will affect the operational strategy of the organization. Managing the vast scope of business expo- sures and growth initiatives requires taking a broader view on risks from a strategic perspective. In defining its desired risk profile, Zurich must determine which risks will optimize its returns. Its ERM mission is to promptly identify, measure, man- age, report, and monitor the risks that affect the achievement of its strategic goals.

Risk Culture at Zurich

The risk culture at Zurich could be defined as the individual and group behav- ior within the organization that determines the way in which Zurich identifies, understands, discusses, and acts on the organization’s risks and opportunities. Embedding a positive risk culture is the responsibility of the Zurich leadership team because it is critical to the effective management of the business.

The core characteristics expected from an effective risk culture include com- mitted leadership, an effective governance structure with clear risk responsibilities and timely escalation procedures, continuous and constructive challenges, active learning from past mistakes, and incentives that reward consideration of risk management objectives and risk appetite in the organization’s management of the business.

Zurich recognizes the need to constantly improve on its ERM program. Senior leadership also wishes to have an effective way of understanding and reporting on the risk culture and framework of the company, both to support internal manage- ment and oversight and to be able to report externally. In principle, the risk culture should not be seen as something separate from the overall culture of the organi- zation, and, for risk to be truly embedded, it should be regarded as one element, albeit one that currently deserves specific attention.

ZURICH GROUP’S ENTERPRISE RISK MANAGEMENT FRAMEWORK At the heart of Zurich’s ERM framework is a governance process with clear respon- sibilities for taking, managing, monitoring, and reporting risks. (See Exhibit 14.1.) Zurich articulates the roles and responsibilities for risk management throughout the organization, from the board of directors and the chief executive officer (CEO) to its businesses and functional areas. In fact, each business and functional or project team will have someone designated as a risk owner to be responsible for identifying and addressing relevant risk exposures and to help embed ERM further in the business unit and build a more open, positive risk culture.

One of the key elements of Zurich’s ERM framework is to foster transparency by establishing risk reporting standards throughout the organization. Zurich reg- ularly reports on its risk profile, current risk issues, adherence to its risk policies, and improvement actions both at a local and on a senior management level. Zurich has procedures in place for the timely referral of risk issues to senior management and the board of directors. Various governance and control functions coordinate

256 Implementing Enterprise Risk Management

Strategic Risk Management

Risk Assessment and Mitigation

Risk Quantification

Risk Transparency

Risk Governance and Risk Culture

Exhibit 14.1 Zurich Risk Management Framework

to help ensure that objectives are being achieved, risks are identified and appro- priately managed, and internal controls are in place and operating effectively.

Risk Governance Approach at Zurich with Three Lines of Defense

Zurich uses a “three lines of defense” model to help ensure governance and control. (See Exhibit 14.2.) This model consists of the following:

1. The first line of defense in the business or functional areas involves the employees making day-to-day business decisions like underwriting, man- aging projects, developing information technology (IT) solutions, or man- aging human capital issues.

2. The second line of defense is Group Risk Management, which oversees the company’s efforts to apply appropriate risk identification and gover- nance processes and provides tools and frameworks to manage decisions. Group Risk Management also coordinates very closely with the Compli- ance and Legal departments, Business Continuity Management, IT, Pro- curement, and other areas, to encourage better coordination across various silos to build an enterprise lens on risk management.

3. The third line of defense is the independent internal audit function, which is responsible for verifying the functionality of the ERM and internal controls framework.

To support the governance process, Zurich relies on documented policies and guidelines. The Zurich Risk Policy is its risk governance document; it spec- ifies Zurich’s risk tolerance, risk limits and authorities, reporting requirements,


Board of Directors

Risk Committee

Group Chief Risk OfficerCEO and Group Executive Committee

Group Balance Sheet Committee Group Finance and Risk Committee

Group Audit

Audit, Risk, and Control Committees

Business Management

Risk Taking

The overview above highlights only key elements of the governance framework that apply to risk management;

R eg

io n,

S eg

m en

t, D

iv is

io n,

B us

in es

s U

ni t l

ev el

G ro

up E

xe cu

tiv e

le ve

l B

oa rd

o f

D ire

ct or

s le

ve l

Risk Control Independent Assurance

Risk Management Network (including regional/segment/division Chief Risk Officers

and Local Risk Officers)

Audit Committee

Exhibit 14.2 Zurich Risk Governance Overview

procedures to approve any exceptions, and procedures for referring risk issues to senior management and the board of directors. The limits are specified per risk type, reflecting the willingness and ability to take risks, considering issues such as earnings stability, economic capital adequacy, financial flexibility and liquidity, franchise value, and reputation. Zurich’s strategic direction and operational plan seeks to achieve a reasonable balance between risk and return, and to be aligned with economic and financial objectives.

An important element of Zurich’s ERM framework is a well-balanced and effectively managed remuneration program. This includes a groupwide remunera- tion philosophy and robust short- and long-term incentive plans, with strong gov- ernance and links to the business planning, performance management, and risk policies. Based on Zurich’s Risk Policy, the board establishes the structure and design of the remuneration arrangements so that they do not encourage inappro- priate risk taking.

As an ongoing process, adherence to requirements stated in the Zurich Risk Policy is assessed. Zurich regularly enhances its Risk Policy to reflect new insights and changes in the environment and to reflect changes to the risk tolerance. For example, the Zurich Risk Policy was recently updated and strengthened for vari- ous areas, including actuarial reserving in General Insurance, reinsurance, receiv- ables, operational risk management, and particularly outsourcing and business continuity management. Related procedures and risk controls were also strength- ened or clarified for these areas.

258 Implementing Enterprise Risk Management

Coordinate risk identification, risk assessment, and financial quantification of risk to achieve a holistic view of the organization’s risks. Group Risk


Group Audit

Group Compliance

Facilitate alignment of assurance methodology and assurance coverage (including raising any gaps in assurance coverage). Includes assurance work of Group Audit, Group Compliance, External Audit, Technical Underwriting, and Claims QA.

Responsible for coordinating assurance reporting.

Responsible for coordinating risk reporting. The resultant risk landscape will inform the risk-based assurance activities of the other functions.

Specialist function that contributes insights regarding compliance matters. Coordinates with other assurance functions in the discharge of its mandate.

Group Compliance

Group Risk Management

Group Audit

Exhibit 14.3 Zurich’s Core Assessment and Assurance Functions

Integrated Assessment and Assurance

Integrated Assessment and Assurance (IAA) is a coordinated view from the Assur- ance functions to provide greater confidence that risks are identified, those risks are appropriately managed, and mitigation actions are implemented and controls are operating effectively. The Assessment and Assurance functions include Group Risk Management, Group Compliance, and Group Audit. (See Exhibit 14.3.) Close coordination is also maintained with Group Legal, External Audit, and manage- ment’s review functions such as underwriting or claims reviews and actuarial peer reviews.

Internal Control Framework

Swiss law prescribes the existence of an Internal Control System (OR 728a) to all “listed companies” and “companies of economic significance.” Zurich Insurance Group was one of the early firms to pioneer the industry with the establishment of its internal control system in 2004. The framework is of core importance in ensuring that company objectives are adhered to and that risks are controlled. The board of directors wants to have positive assurance that an effective internal control system is embedded in the business processes.

Zurich’s Internal Control Framework (ICF) provides to the board the requested global overview of the risks in each business unit and how they are controlled. The evidence of these controls and its documentation serve as proof of the ICF’s existence for regulatory and auditing purposes. Zurich’s three lines of defense help ensure that the Internal Control Framework is enabled.

ROLE OF THE CHIEF RISK OFFICER AND GROUP RISK MANAGEMENT AT ZURICH Zurich’s chief risk officer (CRO) consults with the other assurance, control, and governance functions to provide the chief executive officer (CEO) with a review of risk factors to consider in the annual process to determine variable compensation. The CRO leads the Group Risk Management function, which develops methods


and processes for identifying, measuring, managing, monitoring, and reporting risks throughout Zurich. The CRO is responsible for the oversight of risks across Zurich and regularly reports risk matters to the CEO, senior management commit- tee, and the Risk Committee of the board.

The Group Risk Management organization at Zurich consists of central func- tions at the Corporate Center and a decentralized risk management network at all the segment, regional, business unit, and functional levels. At the Group level there are two centers of expertise: risk analytics and risk and control. The Risk Analyt- ics department quantitatively assesses insurance, financial market, asset/liability, credit, and operational risks, and is Zurich’s center of excellence for risk quantifica- tion and risk modeling. The Risk and Control department includes operational risk management, internal control framework, risk reporting, risk governance, and risk operations. Group Risk Management proposes changes to the risk management framework and Zurich’s risk policies; it makes recommendations on the organiza- tion’s risk tolerance and assesses the risk profile.

The risk management network consists of the chief risk officers (CROs) of the Group’s segments and regions, and the local risk officers (LROs) of the business units and functions and their staff. While their primary focus is on operational and business-related risks, they are also responsible for providing a holistic view of all risks for their areas. The risk officers are part of the management teams in their respective businesses and therefore are embedded in the business units. The LROs also report to the segment or regional CROs, who in turn report to the Group’s chief risk officer. The CROs of the Group’s segments and regions are members of the leadership team of the Group’s chief risk officer.

In addition to the risk management network, Zurich has audit and/or over- sight committees at the major business and regional levels. These committees are responsible for providing oversight of the risk management and control functions. This includes monitoring adherence to policies and periodic risk reporting. At the local level, these oversight activities are conducted through risk and control com- mittees or quarterly meetings between senior executives and the local heads of governance functions.

In 2012, Zurich strengthened the process through which the assurance, control, and governance functions provide risk and compliance information about each business unit as part of the annual individual performance assessment. Through these processes, Zurich encourages a culture of disciplined risk taking across the organization. It continues to consciously take carefully selected risks for which it expects an adequate return.

Board-Level Risk Committee and Executive Risk Committee Responsibilities

The board of directors of Zurich Insurance Group has ultimate oversight responsi- bility for Zurich’s risk management program. The board approved the guidelines for the Group’s risk management framework and key principles, particularly as articulated in the Zurich Risk Policy, and decides on changes to such guidelines and key principles, as well as transactions reaching specified thresholds.

The Risk Committee of the board serves as a focal point for oversight regarding Zurich’s risk management. In particular its risk tolerance, including agreed limits that the board regards as acceptable for Zurich to bear, the aggregation of these

260 Implementing Enterprise Risk Management

limits across the entire organization, the measurement of adherence to risk limits, and its risk tolerance in relation to anticipated capital levels. The Risk Committee further oversees the organization-wide risk governance framework, including risk management and control, risk policies and their implementation, as well as risk strategy and the monitoring of operational risks.

The Risk Committee also reviews the methodologies for risk measurement and its adherence to risk limits. The Risk Committee further reviews, with business management and Zurich’s Risk Management functions, its general policies and procedures and satisfies itself that effective systems of risk management are estab- lished and maintained. It receives regular reports from Zurich’s Risk Management Group and assesses whether significant issues of a risk management and control nature are being appropriately addressed by management in a timely manner. The Risk Committee assesses the independence and objectivity of Zurich’s Risk Management functions; approves its terms of reference; reviews the activities, plans, organization, and quality of the function; and reviews key risk management principles and procedures. To facilitate information exchange between the Audit Committee of the board and the Risk Committee of the board, at least one board member is a member of both committees. The Risk Committee generally meets seven times per year, including once jointly with the Remuneration Committee.

Zurich’s Executive Risk Committee, which consists of the CEO together with the Group Executive Committee (GEC), oversees the Group’s performance with regard to risk management and control, strategic, financial, and business policy issues of organization-wide relevance. This includes monitoring adherence to and further development of the Group’s risk management policies and procedures. The Group Balance Sheet Committee and the Group Finance and Risk Committee reg- ularly review and make recommendations on the Group’s risk profile and signifi- cant risk-related issues.

The chief risk officer is a member of the GEC and reports directly to the CEO and the Risk Committee of the board. The CRO is a member of each of the man- agement committees listed below, in order to provide a common and integrated approach to risk management, to allow for appropriate quantification and, where necessary, mitigation of risks identified in these committees.

Emerging Risk Group

Zurich’s Emerging Risk Group (ERG) seeks to preempt potential downsides of emerging risk and help its employees and customers understand and address them. The ERG looks to serve customers and society and build business oppor- tunities to increase, not exclude, insurability of emerging risks. The ERG’s remit is to respond to emerging risk threats and opportunities with strategies that help customers understand and protect themselves from risk and that drive profitable underwriting results.

The Zurich Emerging Risk Radar shows potential risks and opportunities that the ERG has currently identified. The online, internal version of Zurich Risk Radar is interactive, and one can roll the cursor over each threat to see a description of a risk and its potential harm—and each risk is classified by its primary scope (Science and Technology, Regulatory, Environmental, Social, or Legal), as well as the time over which the risk will potentially emerge (zero to three years, three to five years,


five or more years), plus its potential impact on Group earnings. (See Exhibit 14.4 for a public version.)

WORKING WITH EXTERNAL STAKEHOLDERS Various external stakeholders, among them regulators, rating agencies, investors, and accounting bodies, have placed emphasis on the importance of a sound risk management program in the insurance industry. Regulatory requirements, such as the Swiss Solvency Test in Switzerland and the regulatory principles of Solvency III in the European Union, have emphasized a risk-based and economic approach, based on comprehensive quantitative and qualitative assessments and reports.

Rating agencies are now interested in enterprise risk management as a factor in evaluating companies’ creditworthiness. Standard & Poor’s, a rating agency with a separate rating for ERM, has rated Zurich’s overall ERM as “strong.” Reinsurance and credit risk controls remain “excellent.” Market, asset/liability management (ALM), reserving, catastrophe, and operational risk controls, as well as strategic and emerging risk management, are seen as “strong.” Zurich is rated either “excel- lent” or “strong” in all of the Standard & Poor’s dimensions for ERM.

Zurich also seeks external expertise from its International Advisory Council and Natural Catastrophe Advisory Council to better understand and assess risks, particularly regarding areas of complex change. In addition, the Investment Management Advisory Council provides feedback to Investment Management on achieving superior risk-adjusted returns versus liabilities for the Group’s invested assets. Zurich also organizes various regional Risk Management Coun- cils comprised of key customers, which engage to help identify and address issues together.

Zurich is involved in a number of international industry organizations engaged in advancing the regulatory dialogue and sound risk management prac- tices pertaining to the insurance industry. It is also a standing member of and actively contributes to the Emerging Risk Initiative of the CRO Forum (an organiza- tion composed of the chief risk officers of major insurance companies and financial conglomerates that focuses on developing and promoting industry best practices in risk management).

Zurich actively participates in professional risk management bodies such as the Risk and Insurance Management Society (RIMS), the Institute of Risk Manage- ment (IRM), the Federation of European Risk Management Association (FERMA), and the Association of Insurance and Risk Managers in Industry and Commerce. For example, Zurich’s staff serves on the RIMS ERM Committee and on the global Education Advisory Board of the IRM. It is also involved in various working groups in the Conference Board, supports the Red Cross in crisis recovery, and collaborates with other entities to help promote better risk identification, assess- ment, prevention, and mitigation.

Zurich is a main contributor to the Global Risk Report that is produced by the World Economic Forum in cooperation with other corporations (Swiss Re, Marsh & McLennan Companies, the Oxford Martin School [University of Oxford], the National University of Singapore, and the Wharton Risk Management and Decision Processes Center [University of Pennsylvania Center for Risk Manage- ment] []).The

B ro

ad im

pl ic

at io

ns o

f U S


ar e

R ef

or m

R at

in g

to ol


st ri

ct io


Lo w

c ar

bo n

ec on

om y

W at

er s

ho rt

ag e

G eo

en gi

ne er

in g

(o r

cl im

at e

en gi

ne er

in g)

W at

er q

ua lit


Th re

at to

b ee


pu la

tio n

O be

si ty

A gi

ng w

or kf

or ce

Lo ng

ev ity

- fin

an ci


pr od

uc ts

S oc

ia l

m ed


S hi

ft a


ir re

gu la

r w

or ki

ng D

ig ita

l m

is in

fo rm

at io


B an

ks , B

as el

II ,

S ol

ve nc

y II,

r eg

ul at

io n

Fo od

in fla

tio n

G am

in g

in du

st ry

X en

o tr

an sp

la nt

at io


S yn

th et


bi ol

og y

C os

m ec

eu tic

al s

G lo

ba l s

up pl

y ch

ai ns

A bu

si ve

c la


ac tio

ns /

C ol

le ct

iv e

re dr

es s

fr om


n U


C el

l m ut

at io


M ot

or /L

ia bi

lit y

le ga

l co

nv er

ge nc


E le

ct ro

m ag

ne tic


ld s

M an

-m ad

e E

QP er

va si


co m

pu tin


S pa

ce w

ea th


U nc

on ve

nt io

na l

so ur

ce s

fo r

fo ss

il fu

el s

C og

ni tiv

e co

m pu

tin g

/ d ri

ve rl

es s

ca rs

V ir

tu al


al ity

a nd


rr en


S ec

ur ity

o f p

ow er

su pp


G en

et ic

te st

in g

an d

pr ed

is po

si tio


N an

ot ec

hn ol

og y

G re


pr od

uc ts

A sb

es to

s re

pl ac

em en

t pr

od uc


E nd

oc ri


di sr

up to


A nt

ib io

tic r

es is

ta nt


ct er


In te

rn et

o f t

hi ng


E le

ct ri

c ve

hi cl

e m

an uf

ac tu

ri ng

A gi

ng in

fr as

tr uc

tu re

Tr an

sp or

ta tio

n in


st c

en tu


S ha

ri ng


on om


Q ua

nt ifi

ed s

el f

G lo

ba liz

at io

n an

d th

e ill

ic it

ec on

om y

E -C

ig ar

et te


K ey

L o

w p

ro b

ab ili


M ed

iu m

p ro

b ab

ili ty

H ig

h p

ro b

ab ili


L o

w im

p ac


M ed

iu m

im p

ac t

H ig

h im

p ac


E xh

ib it

14 .4

Z ur

ic h

R is

k R

ad ar



report’s assessment of the most pressing global risks and the interconnections among them provides valuable information for risk mitigation worldwide. Sup- porting the report is also part of the Group’s commitment to corporate responsi- bility by sharing Zurich’s expertise to help businesses, nations, and society.

ZURICH’S PROPRIETARY TOOLS USED IN ERM FRAMEWORK Zurich uses a variety of methodologies and tools to manage its business risk, with the following aims. More information on Zurich’s Strategic Risk Management work can be found at

� Understand issues in enterprise strategy, resilience, supply chain, and busi- ness continuity.

� Identify scenarios that could—or should—be built into a strategic and/or operational resilience plan.

� Develop action points and risk responsibilities to help protect profitability.

Total Risk Profiling Tool

One of Zurich’s key proprietary tools is called Total Risk Profiling (TRP); it is a workshop-based approach where a facilitator-led team develops a risk profile by determining relative ratings in probability and severity (likelihood and impact) for potential risk scenarios. (See Exhibit 14.5.) TRP is a structured approach to identifying, assessing, and monitoring holistic risks and improvement

Vulnerability identification and assessment

Vulnerability catalog

Risk profile Risk improvement catalog

Risk mapping/Risk tolerance boundary

Risk reduction/Risk improvement advice

Develop risk scenarios, quantify financial severity, and assess probability 1. Vulnerability A





P ro

ba bi

lit y 1



IIIII Severity





2. Trigger

3. Consequences

what? where? control?

• • •

how? why? when?

• • •

how big? why bad? when much?

• • •

Define the risk appetite, prioritize risk scenarios, and deliver improvement plan


Exhibit 14.5 Zurich Total Risk Profiling Tool

264 Implementing Enterprise Risk Management

actions needed. By embedding its Total Risk Profiling methodology into its risk culture, this has helped ensure its risk management culture is consistent and effec- tive across its various business units. It uses these risk scenarios to define the underlying issues and break them into components of vulnerability, trigger, and consequences. The TRP tool can also help a business unit define and quantify its risk tolerance limit. A short video explains more about Total Risk Profiling (

A risk tolerance limit is defined as part of the risk appetite, and action plans are developed to improve the prioritized risks and bring them within the busi- ness unit’s tolerance for risk. The structure of the TRP risk identification process provides a sound basis for detailed quantification of more complex risks. TRP has helped Zurich’s business units set the agenda for internal audit or enterprise risk management to monitor risks at or just below the risk tolerance boundary.

By being able to define multiple risk triggers with different potential conse- quences, the TRP tool has helped Zurich to identify the true drivers of risk by undertaking various stress tests or even to define new risk exposures. A facilitator- led team develops a relative rating for each risk scenario, often without a prede- fined scale of impact and likelihood, to improve the business unit’s understanding of the risk.

Another main aim of the flexible TRP tool is to help embed a risk culture that will sustain shareholder value through better enterprise risk management prac- tices and strategic planning processes. Zurich performs nearly 200 TRP workshops per year, ranging from assessing strategy execution, project management, human resources (HR), mergers and acquisitions (M&A), or business interruption (BI) exposures to new product development. In fact, completion of a TRP is a requi- site part of the submission for a project budget or operational plan. The TRP tool helps to enable the following:

� Assessment of current and emerging risks to business resilience and prof- itability

� Alignment of business strategy with key performance indicators � Communication of board discussion on risk appetite to investors and other

stakeholders � Reviewing the environmental scanning tool for corporate or competitive

business strategy development � Embedding of ERM in the strategic planning process � Product launches, acquisitions or divestitures, and project management � Considering the vulnerabilities in the supply chain � Evaluation of business interruption risk scenarios � Testing of existing strategies in the context of unrealized/underrealized

risks and opportunities � Use in the objective-setting stage of the business cycle to determine the


Zurich Hazard Analysis Tool

The Zurich Hazard Analysis is a powerful methodology to systematically identify, address, and manage various types of hazards or vulnerabilities and to address


and manage the corresponding risks. The methodology is closely related to Total Risk Profiling, and is helpful in defining “pathways” of risks. Zurich has been suc- cessfully applying and using it within its operations and with customers for over 20 years in various industries, commercial enterprises, and, more recently, in the financial services industry, as well as public entities.

Zurich’s Risk Room

Another of Zurich’s proprietary tools, called the Zurich Risk Room, helps the orga- nization and its customers to systematically explore major global risks, investigat- ing how they are expressed on a country-by-country basis. (See Exhibit 14.6.) It shows on a 3-D screen how risks and geographies combine (sometimes unexpect- edly) to be relevant to Zurich’s business concerns. This tool allows one to see which countries reflect similar profiles, and which risks begin to stand out on mapping various risk correlations. By working across different types of risks, risk correla- tions are identified that illustrate whether relevant risk connections exist and which ones are the strongest.

The Zurich Risk Room creates a statistical, fact-based assessment of global threats as they relate to business planning and implementation. Its output can com- plement departmental, regional, or consultant-based research and data, provid- ing an additional objective lens to risk evaluation and reducing the issues related to silo-based risk assessments. Using a consistent global framework, the Zurich Risk Room can help identify threats that may cross boundaries and provide key decision makers with relevant risk information that can help them make more informed business decisions, even if they are not experts in risk analysis.

Exhibit 14.6 Zurich’s Risk Room

266 Implementing Enterprise Risk Management

By examining risks and interconnections in detail, Zurich is able to compare both individual issues and overall country risk characteristics of one country to those of another. This allows Zurich to see whether a country’s risk profile is unique or it shares similarities with other countries. For international businesses, it is vital to form a picture of where operations and investments are vulnerable and where these vulnerabilities may reside. Zurich is then able to identify how risks are bundled, or where a threat in one area might cascade to another.

A demo version of the Zurich Risk Room software for an iPad or Android tablet can be downloaded by searching for Zurich Risk Room in iTunes or Google Play. In addition, this is a link to a short video that will give a brief overview of the Zurich Risk Room application:

CATEGORIZING VARIOUS RISKS AT ZURICH In order to enable a consistent, systematic, and disciplined approach to ERM, Zurich categorizes its main risks. (See Exhibit 14.7.) This grouping assists Zurich in monitoring any aggregation of exposures that may be accumulating across the enterprise and could, therefore, have a greater impact on the company.

PEOPLE RISKS Accident/ Health Labor/Key employees Recruiting and retention Corporate governance Knowledge management







QUANTIFICATION STRATEGIC RISKS Joint ventures and subsidiaries Product development Mergers and acquisitions Reputation Intellectual property Management skills Legal and compliance risks

OPERATIONAL RISKS Sabotage Machinery breakdown Transportation Fire/Explosion Product liability Pollution e-risk Interdependency Earthquake Business interruption Storm Bottleneck supplier Flood

MARKET RISKS Geographical spread Patent infringement Competitors Trade barriers Market share

FINANCIAL RISKS Stock Exchange Capital Markets Liquidity Fraud Debtors/Creditors Currency fluctuation K





















Exhibit 14.7 Categorizing Various Risks at Zurich


Strategic Risks

Strategic risks are the unintended risks that can result as a by-product of planning or executing a strategy. For example, they can arise from the following:

� Inadequate assessment of strategic plans � Improper implementation of strategic plans � Unexpected changes to assumptions underlying plans

Risk considerations are a key element in the strategic decision-making process. The senior leadership team assesses the implications of strategic decisions on risk- based return measures and risk-based capital in order to optimize the risk/return profile and to take advantage of economically profitable growth opportunities as they arise.

Zurich works on reducing the unintended risks of strategic business decisions through its risk assessment processes and tools. The Group Executive Committee regularly assesses key strategic risk scenarios for the Group as a whole, including scenarios for emerging risks and their strategic implications.

An example of this is when Zurich evaluates the risks of mergers and acqui- sitions (M&A) transactions from both a quantitative and a qualitative perspective. Zurich conducts risk assessments of M&A transactions to evaluate risk, especially related to the integration of acquired businesses, to help increase the likelihood of successfully attaining the expected benefits. They may also review country-level exposures using the Zurich Risk Room tool.

Insurance Risks

Insurance risk is the inherent uncertainty regarding the occurrence, amount, and timing of insurance liabilities. The exposure is usually transferred to Zurich through the underwriting process. Zurich assumes certain customer risks and aims to manage that transfer of risk and to minimize unintended underwriting risks through the following:

� Establishing limits for underwriting authority � Requiring specific approvals for transactions involving new products or

where established limits of size and complexity may be exceeded � Using a variety of reserving and modeling techniques to address the various

insurance risks inherent in the insurance business � Ceding insurance risks through proportional, nonproportional, and specific

risk reinsurance treaties

Market Risks

Market risks can be associated with the Group’s balance sheet positions where the value or cash flow depends on financial markets. Fluctuating risk drivers resulting in market risk may include:

� Equity market prices � Real estate market prices

268 Implementing Enterprise Risk Management

� Interest rates and credit spreads � Currency exchange rates

Zurich has policies and limits to manage market risk. Zurich aligns its strategy asset allocation to its risk-taking capacity. The Group centralizes the management of certain asset classes to help control aggregation of risk, and provides a consistent approach to constructing portfolios and selecting external asset managers. Zurich also diversifies portfolios, investments, and asset managers. It regularly measures and manages market risk exposure. Zurich has established limits on concentration in investments by single issuers and certain asset classes, as well as deviations of asset interest rate sensitivities from liability interest rate sensitivities, and also has limits on investments that are illiquid.

Credit Risks

Credit risks are associated with a loss or potential loss from counterparties failing to fulfill their financial obligations. Zurich’s exposure to credit risks may be derived from the following main categories of assets:

� Cash and cash equivalents � Debt securities � Reinsurance assets � Mortgage loans and mortgage loans given as collateral � Other loans � Receivables � Derivatives

Zurich strives to manage individual exposures as well as credit risk concentra- tions. Its objective in managing credit risks is to maintain them within parameters that reflect its strategic objectives and risk tolerance. Sources of credit risks are assessed and monitored, and Zurich has policies to manage special risks within various subcategories of credit risk. To assess counterparty credit risk, Zurich uses the rating assigned by external rating agencies, qualified third parties such as asset managers, and internal rating assessments. When there is a difference among exter- nal rating agencies, Zurich assesses the reason for the inconsistencies and applies the lowest of the respective ratings unless other indicators of credit quality justify the assignment of alternative internal credit ratings. Zurich maintains counterparty credit risk databases that record external and internal sources of credit intelligence.

Liquidity Risks

Risks that Zurich may not have sufficient liquidity to meet its obligations when they fall due, or would have to incur excessive costs to do so, are categorized as liquidity risks. Zurich’s policy is to maintain adequate liquidity and contingent liquidity to meet its liquidity needs under both normal and stressed conditions.

Zurich has groupwide liquidity management policies and specific guidelines as to how local businesses have to plan, manage, and report their local liquidity. These include regularly conducting stress tests for all major carriers within Zurich.


The stress tests use a standardized set of internally defined stress events and are designed to provide an overview of the potential liquidity drain that Zurich would face if it had to recapitalize local balance sheets.

Operational Risks

Operational risks can be associated with Zurich’s people, processes, and sys- tems, and external events such as outsourcing, catastrophes, legislation, or external fraud. Zurich has a comprehensive framework with a common approach to iden- tify, assess, quantify, mitigate, monitor, and report operational risks within the scenario-based assessments, internal controls evaluations, and loss event data.

In the area of information security, Zurich continues to focus on its global improvement program with special emphasis on protecting customer information, improving security with its suppliers, and monitoring that access to information is properly controlled. This helps Zurich better protect information assets and ensure greater alignment with regulation and policies. A key consideration is maintaining and developing the capability of Zurich’s business continuity with an emphasis on recovery from possible risk events such as natural catastrophe or pandemic. Zurich continues to develop its existing business continuity capa- bility by further implementing a more globally consistent approach to business continuity and crisis management.

Focusing on the risk of claims fraud and nonclaims fraud continues to be of great importance to Zurich. Zurich continues its global antifraud initiative to fur- ther improve Zurich’s ability to prevent, detect, and respond to fraud. While claims fraud is calculated as part of insurance risk and nonclaims fraud is calculated as part of operational risk for risk-based capital, both are part of the common frame- work for assessing and managing operational risks. Zurich considers risk controls to be key instruments for monitoring and managing operational risks. The opera- tional effectiveness of key controls is assessed by self-assessments and independent testing of controls supporting the financial statements.

Reputation Risks

Reputation risks are risks that might arise from an act or omission by Zurich or any of its employees that could result in damage to the Group’s reputation or loss of trust among its stakeholders. Every risk type could have potential consequences for Zurich’s reputation, and therefore effectively managing its exposures holistically and systematically helps Zurich reduce threats to its reputation.

CAPITAL MANAGEMENT Capital and solvency are managed through an integrated and comprehensive framework of principles and governance structures as well as methodology, mon- itoring, and reporting processes. The capital management process is illustrated in Exhibit 14.8. At the group executive level, the Group Balance Sheet Committee defines the capital management strategy and sets the principles, standards, and policies for the execution of the strategy. Group Treasury and Capital Manage- ment are responsible for the execution of the capital management strategy within the mandate set by the Group Balance Sheet Committee.

270 Implementing Enterprise Risk Management

Zurich’s capital management strategy

Economic Capital Adequacy Capital Management


Regulatory Capital Adequacy

Insurance Financial Strength Rating

Governance and principles

Methodology, monitoring, and reporting

• Dividends • Share buy-back • Share Issuances • Senior and hybrid debt • Reinsurance • Securitization

Exhibit 14.8 Zurich’s Capital Management Strategy

Within these defined principles, the group manages its capital using a number of different capital models, taking into account regulatory, economic, and rating agency constraints. The capital and solvency position is monitored and reported on a regular basis. Based on the results of the capital models and the defined standards and principles, Group Treasury and Capital Management has a set of measures and tools available to manage capital within the defined constraints. This tool set is referred to as the Capital Management Program.

The Capital Management Program comprises various measures to optimize shareholders’ return and to meet capital needs, while enabling Zurich to take advantage of growth opportunities as they arise. Such measures are used as and when required and could include efficient balance sheet structuring as well as cash dividends, share buy-backs, special dividends, issuances of shares or senior and subordinated debt, and purchase of reinsurance.

The group seeks to maintain the balance between higher returns for sharehold- ers on equity raised, which may be possible with higher levels of borrowing, and the security provided by a sound capital position. The payment of dividends, share buy-backs, and issuances and redemption of debt can have an important influence on Zurich’s capital levels.

Zurich Economic Capital Model

In addition to a qualitative approach to measuring risks, Zurich regularly mea- sures and quantifies material risks to which it is exposed through both TRP and the Zurich Economic Capital Model (Z-ECM). This model provides a key input into the strategic planning process, as it allows an assessment as to whether its risk profile is in line with its risk tolerance level. In particular, Z-ECM forms the basis for optimizing Zurich’s risk/return profile by providing consistent risk measure- ment across the Group.

Zurich uses Z-ECM to assess the economic capital consumption of its busi- ness with a balance sheet approach. Under the balance sheet approach one looks at the change in stockholders’ or owners’ equity to determine the amount of net income during the period between balance sheets. The Z-ECM framework is


embedded in Zurich’s risk culture and plays a critical role in decision making, and is used in capital allocation, business performance management, pricing, reinsur- ance purchasing, transaction evaluation, and risk optimization, as well as regu- latory, investor, and rating agency communication. Z-ECM quantifies the capital required for insurance-related risk (including premium and reserve, natural catas- trophe, business, and life insurance), market risk (market/ALM [asset/liability management]), credit risk (including reinsurance credit and investment credit), and operational risks.

At the Group level, Zurich compares Z-ECM capital required to the Z-ECM available financial resources (Z-ECM AFR) to derive an economic solvency ratio (Z-ECM ratio). Z-ECM AFR reflects financial resources available to cover poli- cyholder liabilities in excess of their expected value. It is derived by adjusting the International Financial Reporting Standards (IFRS) shareholders’ equity to reflect the full economic capital base available to absorb any unexpected volatil- ity in Zurich’s business activities. As part of Z-ECM, Zurich uses a scenario-based approach to assess, model, and quantify the capital required for operational risk for business units under extreme circumstances and a very small probability of occurrence (internal model calibrated to a confidence level of 99.95 percent over a one-year time horizon).

Analysis of Capital Adequacy

Zurich maintains interactive relationships with three global rating agencies: Stan- dard & Poor’s, Moody’s, and A.M. Best. The Insurance Financial Strength Rating (IFSR) of Zurich’s main operating entity is an important element of its competi- tive position. Moreover, Zurich’s credit ratings that are derived from its financial strength rating do, in fact, affect its cost of capital, just like any other credit-rated company.

In each country in which Zurich operates, the local regulator specifies the min- imum amount and type of capital that each of the regulated entities must hold in relation to its liabilities. In addition to maintaining the minimum capital required to comply with the solvency requirements, Zurich targets holding an adequate buffer of capital reserves to ensure that each of its regulated subsidiaries meets the local capital requirements. Zurich is subject to different capital requirements depending on the country in which it operates. The main areas are Switzerland and European Economic Area countries, and the United States.

Since January 1, 2011, the Swiss Solvency Test (SST) capital requirements are binding in Switzerland. The Group uses an adaptation of its internal Risk-Based Capital (RBC) model to comply with the SST requirements and runs a full SST cal- culation twice a year. The model is still subject to Swiss Financial Market Supervi- sory Authority (FINMA) approval.

ZURICH’S BUSINESS RESILIENCE TOOLS Business resilience management helps provide Zurich with the structure for deal- ing with risks systematically, holistically, and successfully. Zurich’s Business Resilience program is supported by an enterprise risk management framework that identifies particular events or circumstances relevant to its business objectives,

272 Implementing Enterprise Risk Management

Profitable Growth

Business Resilience

Total Risk Profiling

Enterprise Risk Management

Business Interruption Modeling

Supply Chain


Business Continuity


Business Impact


Exhibit 14.9 Zurich’s Business Resilience Program

assesses them in terms of likelihood and magnitude of impact, and then deter- mines a response strategy. (See Exhibit 14.9.) A resilient enterprise is better able to anticipate surprises, recover more quickly from disruptions, adapt to changing conditions, and leverage emerging opportunities.

The objective of Zurich’s Business Resilience program is “Prepared, Informed, and Resilient.” This tagline is regularly communicated to staff, especially dur- ing Business Resilience Awareness week. Some of Zurich’s proprietary Business Resilience tools are listed here.

Business Interruption Modeling allows Zurich the capability to better man- age its risks based on an in-depth understanding of the value chain, with a main focus on the business critical value flow, followed by identification, assessment, and quantification of business interruption exposures and optional mitigations. Like all organizations, a business interruption for Zurich could have the poten- tial to inhibit productivity and could have multiple negative impacts on its orga- nization. Some examples of business interruption impacts could include loss of customers, diminished customer service, legal and/or regulatory issues, lower employee morale, and even delays in projects, products, or other strategic growth. Thus, it is essential that organizations try to map and quantify how they serve cus- tomers, in order to proactively protect where they generate value.

Key stages of Business Interruption Modeling include:

� Defining scope by identifying the business-critical part(s) of the value chain � Building an interdependency framework of business-critical value flows � Identifying relevant business interruption vulnerabilities as loss of resources

such as supplier, production, storage, and customer � Assessing the extent based on interruption scenarios, and modeling the

effects quantitatively


� Prioritizing risks based on financial impact of scenarios, with focus on unac- ceptable risks in order to develop a beneficial mitigation plan

� Assessing the effectiveness of current business continuity plans and identi- fying improvement actions

Supply Chain Risk Assessment allows Zurich to improve its reliability and minimize the effects of a supply chain disruption on its capital and earnings. Zurich’s supplier risk assessment should help address vulnerabilities that could inhibit Zurich’s ability to respond to a changing risk landscape. Its supply chain risk evaluation, mapping, and grading are designed to assess and quantify the broad areas of exposures and risk controls in its supply chain. This gives Zurich actionable insights to help facilitate mitigation strategies that can address the char- acteristics of each supplier individually, including risk transfer options.

The stages of a Supply Chain Risk Assessment include:

� Develop a supply chain/value chain map. � Gather key supply/supplier details. � Evaluate risk factor information. � Define and evaluate potential risk or loss scenarios. � Develop risk grading for each critical supplier. � Determine risk strategies.

Business Continuity Management (BCM) includes the mitigation strategies used to minimize the impact after an incident, with the possible scope of risks com- ing from supply chain risks, strategic risks, operational risks, technological risks, or natural hazards. BCM is very useful in identifying gaps in risk mitigation strategies and improving risk controls to manage those exposures more effectively. As part of Zurich’s business resilience process, BCM is important for managing the multi- tude of risk exposures and potential interruptions scenarios and thus strengthen- ing Zurich’s business resilience program.

Zurich’s Six-Stage Business Continuity Management Life Cycle

1. Modeling key business processes 2. Business impact analysis 3. BCM strategy and processes 4. Business continuity planning 5. Crisis management 6. Training, exercise, maintenance, and assessment

Zurich is able to undertake a regular gap analysis of its business continuity plans against best practices and common BCM-related standards such as Interna- tional Standards Organization (ISO), National Fire Protection Association (NFPA) and the British Standard. It also routinely tests its crisis response activities. For example, it has planned or completed simulation exercises such as:

� Eurostar trains caught in tunnel � India: Bomb explosion in hotel where Zurich has employees, impacting the

country where company has operations in Pune, Bangalore, and Chennai

274 Implementing Enterprise Risk Management

� Fire in Home Office location injuring employees, impacting critical pro- cesses, and possibly preventing occupancy in location for up to three to four months

� Los Angeles earthquake � Kansas tornado � Political demonstration in New York City

Business Impact Analysis is designed to provide the method to identify the systems that, when absent, would create a danger to the survival of the organiza- tion. This analysis can also ensure that these systems receive the correct priority in any subsequent business continuity plan.

Key stages of Zurich’s Business Impact Analysis include:

� Prioritize the key business services or processes. � Identify the internal and external risks to the continuity of these business

processes. � Assess the importance of each risk in terms of both the likelihood and the

financial impact of potential outcomes. � Establish priorities for mitigating the critical risks. � Develop a management plan of action. � Assess the business continuity plan and management plan of action.

HOW ZURICH USES ITS ERM TOOLS TO CREATE NEW VALUE In the area of mergers and acquisitions, Zurich may use two opportunity analysis tools to supplement traditional due diligence practices. Both the Total Risk Pro- filing tool and the Zurich Risk Room can be used to simulate various risk scenar- ios and investigate potential outcomes. (See Exhibit 14.10.) When Zurich acquired holdings in Asia and Latin America, these tools served to help identify and under- stand the risks associated with the strategy, so they could be managed accordingly and increase the likelihood of success on these opportunities.

While key performance indicators (KPIs) can help an organization understand how well it is performing in relation to its strategic objectives, key risk indicators (KRIs) are leading indicators of risks to business performance. (See Exhibit 14.11.)

Zurich’s ERM tools can add value by helping to determine and embed KRIs within an operations to provide an early warning that potential risks are on the rise. Some examples of Zurich using KRIs to monitor risks are in the areas of natural catastrophe risks (percentage of group shareholder equity), asset-liability match- ing (duration mismatch), strategic asset allocation (mix of investment across cate- gories), and credit risk (weighted average credit rating).

Zurich has the opportunity to create value through business resiliency as well, which addresses disruption to business operations. It can use a combination of modeling software, supply chain risk assessment software, and business conti- nuity gap analysis techniques to evaluate its exposure. It has recently appointed a supply chain risk officer, who reports into Zurich’s CRO organization and is tasked with finding the appropriate balance between cost and reliability. It has a business

E xh

ib it

14 .1

0 Z

ur ic

h B

us in

es s

R es

ili en

ce T

oo ls


276 Implementing Enterprise Risk Management

Key Performance Indicators (KPI)

Progress on organizational targets and strategic goals

• •

Monitoring of employee activity completion and budget spend

Measurement of results

Forecasting for planning purposes

Key Risk Indicators (KRI)

Track metrics that are leading indicators to risk of performance

Measurement based on data of influencing factors

Ongoing monitoring of the level and cost of risk against risk tolerance

Track changes in the risk profile of business landscape

Exhibit 14.11 Zurich Key Performance Indicators and Key Risk Indicators

continuity planning team throughout its operating regions, and maintains a robust network of champions within the business, trained to return the business to operation quickly and efficiently after a disruption. The business continuity team regularly exercises a variety of plans to ensure that Zurich can be ready for many potential risk situations. Stress-testing activities take place in parallel to ensure that the network is prepared to shift workload, deploy contingencies, and remain operational, particularly when customers may have suffered from the same event.

With new projects or product development opportunities, Zurich can also use its Total Risk Profiling (TRP) tool to evaluate risk scenarios that may prevent it from delivering on time, on budget, and with the expected results. Completion of a TRP analysis is normally required as part of most requests for project approval and budget. Improvement actions are assigned to risk owners during TRP ses- sions, and monitored regularly to ensure risk reduction. The TRP tool can also help with quantifying the potential exposure and risk tolerance level. For example, TRP was used as an analysis tool before considering outsourcing IT services, helping to vet the solution as a viable alternative. The risk assessment team assigned risk improvement actions to individuals, and proceeded with the project. The TRP was regularly updated and benchmarked throughout the course of the project, as risks changed and new ones surfaced. The TRP assessment can even be used as a yes/no decision gate during the project phases to help determine that the expected project benefits still outweigh the risks.

The TRP methodology can also be used at the board and senior management levels to help develop strategic (top-down) scenarios that can be applied consis- tently during operational (bottom-up) assessments across the enterprise. This has helped to ensure uniform handling of certain systemic issues and exposures to better balance the risks and rewards of new opportunities. It is very important to Zurich to set financial parameters around managing current risk issues and guid- ing key business decisions going forward. The TRP process can build team com- mitment and focuses management expertise on dedicating resources to mitigate those risks that are outside the risk tolerance level and pose the greatest barriers to achieving corporate objectives.

Another use of the TRP methodology is its employment in a risk tolerance workshop. Establishing a corporate risk tolerance is a critical step in helping


increase business controls and profitability across an enterprise. The corporate risk boundary provides a clear indication of both an acceptable risk appetite for new opportunities and an unacceptable risk threshold for downside cost on potential exposures. Risk tolerance is often defined as the level of variability that an organi- zation is willing to accept in its aggregate earnings and capital value at risk (VaR) limits. It is essential to both define and apply corporate risk tolerance in order to prioritize the most critical areas for risk improvement. The risk appetite at Zurich is set by senior management, and then broadly articulated and followed by business and functional areas.

Zurich’s ERM program also contributes to its core business through the pro- cesses and procedures to review customer risks. Zurich performs credit checks to monitor collateral and financial viability of many of its customers and suppliers. Its cross-divisional Emerging Risk Group is tasked with scanning the horizon for new exposures that may impact Zurich and its customers. Zurich reviews customers’ loss control techniques and provides best practices guidance through nearly 1,000 risk engineers who specialize in safety and operational risks around the world, serving the dual purpose of supporting customers’ needs as well as protecting Zurich’s own portfolio. Last, accumulations within Zurich’s risk portfolio are mon- itored via a database to identify areas of disproportionate exposure to a single com- pany, industry, supplier, or geographic location.

CONCLUSION Every organization’s directors and officers will approach ERM differently in order to achieve their unique objectives. Zurich has taken many steps to help develop a strong and effective ERM program. This program did not emerge overnight, but today Zurich views its ERM program as a competitive advantage well worth the investment. Despite having embedded a robust program into the fabric of its busi- ness, Zurich does not rest on its laurels. The program is constantly scrutinized in search of better ways to identify, assess, manage, and monitor Zurich’s key risks. The company has even developed an ERM Gap Analysis that can be done yearly to help determine risk maturity and focus on its top areas for improvement. The organization’s management continuously looks for opportunities to create a closer partnership between ERM and the core business, so that its ERM team is ready to consult and assist the business in understanding risk in pursuit of profit. ERM is certainly a long journey defined by many paths, but one that can continue to yield tremendous benefits for the organization.

APPENDIX Internally, Zurich uses its Risk-Based Capital (RBC) model, which also forms the basis of the SST model. The RBC model targets a total capital level that is calibrated to an AA-rated financial strength. Zurich defines RBC as being the capital required to protect the Group’s policyholders in order to meet all of their claims with a confidence level of 99.95 percent over a one-year time horizon.

While the Group’s RBC model and the SST model are broadly the same, the following is a summary of the main differences between the three approaches:

278 Implementing Enterprise Risk Management

� Model calibration. The RBC calibration is based on a value at risk at a 99.95 percent confidence level, whereas SST calibration is based on an expected shortfall at a 99 percent confidence level. The Group thereby sets itself a higher financial strength target than the SST regulatory requirement.

� Scope. Operational and business risks for General Insurance are reflected in RBC, but are not required in SST.

� Market/ALM risk. The extreme scenario for market/ALM risk in RBC is directly attributed to that risk, whereas extreme scenarios in SST are aggre- gated to the combination of all risk types. This treatment of the extreme sce- nario in the RBC model leads to a more conservative result than in the SST model.

� Available financial resources (AFR). Senior debt is included in AFR for RBC purposes, but not included in AFR for the SST calculation.

Zurich uses RBC to assess the economic capital consumption of its business in a one-balance-sheet approach. The RBC framework is an integral part of how Zurich is managed. The RBC framework is embedded in Zurich’s organization and deci- sion making, and is used in capital allocation, business performance management, pricing, reinsurance purchasing, transaction evaluation, and risk optimization, as well as regulatory, investor, and rating agency communication.

Zurich compares RBC to its AFR to derive an economic solvency ratio. AFR reflects financial resources available to cover policyholder liabilities in excess of their expected value. It is derived by adjusting the IFRS shareholders’ equity to reflect the full economic capital base available to absorb any unexpected volatility in the Group’s business activities.

At a Group level, the management committees dealing with risks are:

� The Group Balance Sheet Committee (GBSC) acts as a cross-functional body whose main function is to control the activities that materially affect the bal- ance sheets of the Group and its subsidiaries. The GBSC is charged with setting the annual capital and balance sheet plans for the Group based on the Group’s strategy and financial plans, as well as recommending specific transactions or unplanned business changes to the Group’s balance sheet. The GBSC has oversight of all main levers of the balance sheet, including capital management, reinsurance, asset/liability management, and liquid- ity. The GBSC reviews and recommends the Group’s overall risk tolerance. It is chaired by the CEO.

� The Group Finance and Risk Committee (GFRC) acts as a cross-functional body for financial and risk management matters in the context of the strat- egy and the overall business activity of the Group. The GFRC oversees finan- cial implications of business decisions and the effective management of the Group’s overall risk profile, including risks related to insurance, financial markets and asset/liability, and credit and operational risks, as well as their interactions. The GFRC proposes remedial actions based on regular briefings from Group Risk Management on the risk profile of the Group. It reviews and formulates recommendations for future courses of action with respect to potential mergers and acquisitions (M&A) transactions, changes to the Zurich Risk Policy, internal insurance programs for the Group, material


changes to the Group’s risk-based capital methodology, and the overall risk tolerance. The GFRC is chaired by the chief financial officer, while the chief risk officer acts as deputy.

The management committees rely on output provided by technical commit- tees, including:

� The Asset/Liability Management and Investment Committee (ALMIC) deals with the Group’s asset/liability exposure and investment strategies and is chaired by the chief investment officer.

� The General Insurance Global Underwriting Committee (GUC) acts as a focal point for underwriting policy and related risk controls for General Insurance and is chaired by the Global Chief Underwriting Officer for Gen- eral Insurance.

� The Group Reinsurance Committee (GRC) defines the Group’s reinsurance strategy in alignment with its risk framework and is chaired by the Global Head of Group Reinsurance.

QUESTIONS 1. How do Zurich ERM tools help them better understand their existing and emerging

risks? 2. How are Zurich’s risk roles and responsibilities impacting their risk culture? 3. Why is it important to include a Business Resilience program in your organization’s ERM

program? 4. How is Zurich’s Capital Management program helping their ERM program? 5. Give some examples on how Zurich has created new value through their ERM program?

REFERENCES Bugalla, John, Linda Conrad, and Kristina Narvaez. 2013. Presentation given at Risk and

Insurance Management Society Annual Conference in Los Angeles, April 22. Conrad, Linda. 2013. Presentation given at Risk and Insurance Management Society ERM

Conference in San Francisco, November 4. Zurich Insurance Group. 2012. Zurich Risk Report.

ABOUT THE CONTRIBUTORS Linda Conrad is Director of Strategic Business Risk Management for Zurich. She leads a global team responsible for delivering tactical solutions to Zurich and to customers on strategic issues such as business resilience, supply chain risk, enter- prise risk management (ERM), risk culture, and Total Risk Profiling. Linda also addresses enterprise resiliency issues in print and television appearances, includ- ing CNBC, Fox Business News, and the Financial Times, and is featured in a Wall Street Journal microsite at

Linda holds a Specialist designation in ERM, and serves on the global Edu- cation Advisory Board of the Institute of Risk Management in London. Linda is deputy member of the ERM Committee of the Risk and Insurance Management

280 Implementing Enterprise Risk Management

Society (RIMS), sits on the Supply Chain Risk Leadership Council, and was chair- woman of the Asian Risk Management Conference. She taught at the University of Delaware Captive program and in the Master’s on Supply Chain Management pro- gram at the University of Michigan’s Ross School of Business, where she serves on the Corporate Advisory Council. Linda studied at the Graduate Institute of Inter- national Studies in Geneva, Switzerland, and Fox Business School.

Kristina Narvaez is the president and owner of ERM Strategies, LLC, which offers ERM research and training to organizations on various ERM-related topics. She graduated from the University of Utah in environmental risk management and then received her MBA from Westminster College. She is a two-time Spencer Edu- cation Foundation Graduate Scholar from the Risk and Insurance Management Society and has published more than 30 articles relating to enterprise risk manage- ment and board risk governance. She has given many presentations to various risk management associations on topics of ERM. She teaches a Business Strategy class at Brigham Young University.


Embedding ERM into Strategic Planning at the City of Edmonton KEN BAKER ERM Program Manager at the City of Edmonton, Alberta, Canada

To me, the only good reason to take a risk is that there’s a decent possibility of a reward that outweighs the hazard. Exploring the edge of the universe and push- ing the boundaries of human knowledge and capability strike me as pretty signif- icant rewards, so I accept the risks of being an astronaut, but with an abundance of caution: I want to understand them, manage them, and reduce them as much as possible.

—Commander Chris Hadfield1

The Administration of the City of Edmonton in 2012–2013 explored waysto implement enterprise risk management (ERM), with a focus on strategicrisk. Previous attempts at ERM were not fully implemented, but a new opportunity

arose when Edmonton created a new strategic plan, The Way Ahead, in 2008. With the strategic plan and goals well established, they required risk analysis to deter- mine what could prevent the city from achieving its goals and objectives, and how to allocate scarce resources most effectively to mitigate risks to achieving those goals and objectives.

The City Administration hired an Enterprise Risk Management Program Man- ager in 2012 to address the need to implement ERM at a strategic level.

After studying several models and frameworks for addressing risk, and con- ducting pilot workshops for two of the six directional plans that supported the strategic plan, The Way Ahead, the ERM Program Manager worked with the Admin- istration to determine a course of action going forward based on these workshops.

CONTEXT—CITY OF EDMONTON The City of Edmonton, capital of the western Canadian province of Alberta, has been a meeting place since the end of the last Ice Age. First settled by Europeans as a fur-trading post in 1795, Edmonton has grown incrementally, driven by prairie


282 Implementing Enterprise Risk Management

settlement in the 1880s, rail connections in 1891 and 1905, and the Klondike Gold Rush of 1897. Already an agricultural center, its reputation as “Oil Capital of Canada” was cemented in 1947 with the discovery of major oil deposits nearby. Growth since that time was largely based on resource development, and further accelerated as Edmonton served as hub for new oil sands development in northern Alberta starting in the 1970s.

Edmonton has grown significantly. In 2013, it was a city of over 800,000, anchoring an Alberta capital region of over 1.1 million. The city is experiencing nation-leading economic and population growth2 and is expected to reach 900,000 by 2018.3 It is home for world-leading research in several fields, including medicine, energy, nanotechnology, and winter city design. Its commercial and cultural life has earned it the nicknames “Gateway to the North,” “Canada’s Festival City,” and “City of Champions.”

City Government

Constitutionally, municipalities in Canada are the responsibility of their respec- tive provincial governments. As such, the City of Edmonton is subject to provin- cial legislation, mainly the Alberta Municipal Government Act. In 2013 the elected City Council consisted of the mayor as well as a councillor for each of Edmonton’s 12 geographic divisions (wards). Reporting to Council is the City Manager, and through him the City’s 11,000 employees,4 divided into five departments.

The Edmonton City Council operates the two-employee model, the second employee being the City Auditor.

ERM DEVELOPMENT IN THE PAST In 2003 the Office of the City Auditor (OCA) and Administration jointly created an ERM framework, the Corporate Business Risk Planning (CBRP) model. Using input from several city departments as well as external subject matter experts, the CBRP model was based on the Committee of Sponsoring Organizations (COSO) risk management framework, with modifications to allow for weighting of risks at multiple levels of management. The Conference Board of Canada requested permission to use parts of the framework, in particular the Risk Management Assessment Framework tool. CBRP was presented to senior leadership in 2005 and piloted but not fully implemented; it is believed that Edmonton was not yet ready to undertake the discipline at that time.

City Auditor’s Report

In a 2005 audit report,5 the city auditor reported to the City Council’s Audit Com- mittee that:

� Known risks were being managed reasonably well. � Risks that are strategic in nature were not clearly identified. � ERM results were not consistently incorporated into business plans.


Administration Response to City Auditor’s Report Following the 2005 city auditor’s report, several steps were undertaken to address the issues raised in the report:

� The chief financial officer was appointed sponsor for the ERM program. � ERM governance was added to the responsibilities of the City Council’s

Audit Committee, which consists of the mayor, four city councillors, and two members of the public.

� In 2011 a Program Manager and an ERM Working Committee, made up of subject matter experts from throughout the Administration, were appointed to advise on a framework for strategic risk. At this point the 2005 city audi- tor’s report was closed.6

� An ERM Program Manager was hired in 2012 to assist the Program Manager. In addition, oversight of the ERM framework selection process was passed to the Transforming Edmonton Committee (TEC), comprised of senior lead- ers responsible for the goals within the strategic plan (The Way Ahead), and from the ERM Working Committee, although the entire ERM Working Committee was kept abreast of developments.

CURRENT OVERALL ERM DEVELOPMENT After the city auditor’s report in 2005, Edmonton adopted a 30-year vision and six 10-year goals, forming the City of Edmonton Strategic Plan, The Way Ahead. From it were derived six “Ways” plans (directional goals, objectives, performance measures, and targets) in support of The Way Ahead:

Transform Edmonton’s Urban Form The Way We Grow Shift Edmonton’s Transportation Mode The Way We Move Improve Edmonton’s Livability The Way We Live Preserve and Sustain Edmonton’s Environment The Way We Green Ensure Edmonton’s Financial Sustainability The Way We Finance Diversify Edmonton’s Economy The Way We Prosper

At the time of writing, all the directional plans have been approved by City Council, except for The Way We Finance.

A summary of The Way Ahead and the six “Ways” plans derived from it can be found in the Appendix at the end of this chapter.

LINKS TO STRATEGIC PLAN AND TO OTHER STRATEGIC TOOLS When developing ERM strategy, the following five questions are asked:

1. What are our long-term vision and goals? 2. What strategy will help achieve the vision? 3. What objectives will achieve the strategy? 4. What performance measures will show whether the objectives are achieved? 5. What risks will interfere with achievement of the objectives?

284 Implementing Enterprise Risk Management

Both performance measurement (PM) and ERM need to be considered when advancing the strategic objectives. Recognizing this, the Office of the Chief Finan- cial Officer realigned its Corporate Strategy and Performance section so that the ERM Program Manager, strategy, and PM staff work together in the same section. This provides possible opportunities to combine the processes of ERM, strategy, and PM to gather information for each more efficiently.

Results-Based Budgeting

ERM assists in resource allocation decisions (as shown in Exhibit 15.1) and so was seen to possibly conflict with budgeting models, including a results-based

Strategic Objectives


M ea

su re

s of

Su cc

es s

R isk

M itigations

Programs and Costs

R is

ks to

A ch

ie ve

Desired Outcomes

M itigation


Fu nd

in gK


Risk Assessment

ERM provides risk assessments to mitigate risks to achievement of the Ways.   Performance Measurement provides Key Performance Indicators (KPIs) to determine the successful achievement of the Ways.   

Results-Based Budgeting  provides information to assist with determining funding of programs, initiatives,  and projects to fulfill the strategic objectives of the Ways. 

1. ERM receives measures of success from Performance Measurement, determines risks to achieve the objectives.    2. Performance Measurement sends list of desired outcomes to Results-Based Budgeting, and receives lists of  prioritized programs and costs. 

3. Results-Based Budgeting receives list of risk mitigations from ERM, creates a list of budgeted mitigation priorities.  


Exhibit 15.1 Relationship between ERM, Performance Measurement, and Results-Based Budgeting


budgeting (RBB) model concurrently piloted by the Administration. The two mod- els can be reconciled, however. For instance, one of the criteria in the RBB model for evaluating city programs was the amount and likelihood of risk relative to the amount of benefit the program was deemed to provide. Conversely, a program’s quartile rating in RBB could be used as an indicator in the ERM model to deter- mine a program’s effectiveness in achieving its desired outcome. In this way, both models could inform each other.

Capital Budgeting Models

Edmonton’s infrastructure branches use sophisticated risk management models for maintaining and replacing current capital assets, and are introducing risk assessment into business cases for new capital projects. The strategic ERM model needs to incorporate these projects at the strategic level.

A graphic showing the linkages between ERM, Performance Measurement, and Results-Based Budgeting is shown in Exhibit 15.1.

SELECTING AND TESTING A STRATEGIC RISK MANAGEMENT MODEL After a review of several ERM frameworks (CBRP, ISO 31000, COSO, etc.), the Administration decided on a strategy-focused approach. The relationship of strate- gic ERM as part of the risk universe is shown in Exhibit 15.2.

Such a method was provided in the Risk Scorecard model devised by pm2 Con- sulting ( The Financial Services and Utilities depart- ment (facilitated by the ERM Program Manager) conducted two pilot Risk Score- cards using the pm2 model, for The Way We Move and The Way We Live. Following is a description of the pm2 Risk Scorecard methodology.

The WaysStrategic



Short to medium term, finite start/end



Exhibit 15.2 Relationship between Strategic, Project, and Operational Risks

286 Implementing Enterprise Risk Management

Pilot pm2 Risk Scorecard Methodology

The Risk Scorecard consisted of six steps, each dependent on the previous one:

1. Weighting of goals in the plan based on what is the highest priority in the organization to advance

2. Linking of strategic objectives to goals—determine how the strategic objec- tives contribute to goals, and to what degree (relationship expressed as low/medium/high)

3. Identification of risks to each strategic objective, scored 1 to 5 in likelihood and 1 to 5 in impact

4. Identification of how current programs (processes) contribute to achieving strategic objectives; currently performed—scored 1 to 5 in relationship to strategic objective and in effectiveness in meeting expectations

5. Identification of planned future initiatives—scored 1 to 5 in relationship to strategic objectives

6. Identification of possible future mitigations and risk indicators

Deliverables from this process include a risk register, a heat map, and charts showing each strategic objective’s cumulative levels of risk, program contribution, and initiative contribution, to show relative effort toward areas of relative risk. In addition, a list of possible future mitigations and a list of risk indicators (mea- sures to show as early as possible that a risk may be occurring) can be derived. The methodology is shown in Exhibit 15.3.

Ideally, risk assessment would have taken place during the creation of strate- gic planning documents to help determine the most risk-appropriate actions to achieve the vision and goals. However, the “Ways” documents were created before ERM was conceptualized in Edmonton. Therefore, pilots were conducted to catch up to each Ways document by conducting a Risk Scorecard workshop for each one. Because of the resource commitment of this exercise, workshops could realistically only be done one at a time. By the summer of 2013, pilot Risk Scorecards for two Ways documents had been completed or nearly completed: The Way We Move and The Way We Live.

Initial Planning

After agreeing to the plan between Administration and pm2 Consulting, a facilita- tor conducted workshops. For the first pilot, three staff members from pm2 Con- sulting facilitated the workshop; for the second, the ERM Program Manager was the facilitator. For both pilots, permission for the participation of lead department staff was sought and received from the general manager of the lead department: for The Way We Move, Transportation Services; for The Way We Live, Community Ser- vices. Branch managers for strategic planning for both departments were tasked to provide subject matter experts from their staff for the entire workshop; each provided three to five staff members to bring department expertise. In addition, for steps 2 and 3 (risk Identification and Scoring), senior department staff, mainly branch managers, were asked to participate in scoring the likelihood and impact of risk events, and to add to or amend the list of risk events.


• The Way We … Goals • The Way We … Strategic Objectives

• ISO 31000-based checklist • Identify Risks

• Rate Impact and Likelihood against strategic objectives

• Rate Impact and Performance against strategic objectives

• Identify risk indicators • Determine risk mitigation actions

1. Identify Strategy

4. Rate Impact and Performance

2. Identify Key Risk Elements

3. Score Risk Elements

5. Determine Indicators and Mitigation Action

Exhibit 15.3 pm2 Risk Scorecard Process Diagram Source: pm2 Consulting, 2012.

Each of the workshops took approximately 60 to 70 hours to complete. To keep time commitments, some portions of steps that were deemed to be less critical were omitted.

Step 1: Identify Strategy

The first step in the process is to identify strategic direction. Edmonton had a 30-year strategic plan, The Way Ahead. Using input from the public as well as sub- ject matter experts, The Way Ahead was approved by the City Council and is the key planning document for the city going forward. To assist in its implementation are the six Ways plans noted previously. These documents made strategy identifica- tion straightforward. For the first pilot, The Way We Move (transportation plan) was selected. It was considered the best place to start because it was the most homoge- neous of the plans; responsibility for its implementation was overwhelmingly with one department, Transportation Services. As well, its format made it essentially a capital plan, with easily understood objectives and goals.

At this point the ERM team had to decide at what level the strategic weightings were to occur. Options included the six 10-year goals or the 19 strategic objectives, among others. It was decided that the strategic objectives would be the appropriate level of analysis for the risk register. The goals would be at too high a level to be meaningful, and other criteria would not serve the city’s purpose in addressing the risk needs of the Ways.

288 Implementing Enterprise Risk Management

Vibrant, Connected, Engaged, Welcoming





Using Public




















4 3 4










1.1 1.2 1.3










Celebrates Life

Caring, Inclusive, Affordable

Safe City

Attractive City

Sustainable City




Exhibit 15.4 Relationship between Strategic Goals and Objectives Source: Adapted from pm2 Consultants Risk Score Card Model, 2012.

At this point a weighting of the goals was attempted. Subject matter experts, including the department general manager, allocated a percentage of support to each of the six goals. (It should be noted that, for political reasons, this weighting of the goals may be skipped as management may not want to prioritize these at this time.) The goals were then placed on the vertical axis of a table, with the strategic objectives across the top. An example of this table can be found in Exhibit 15.4.

For each strategic objective, the subject matter experts (in this case, four people from the Community Services department) indicated the link to each goal on a scale of 1 to 5. The larger an objective, the more goals it would relate to, and the higher weighting it would receive. When this was completed, each strategic objective had a weighting (C), expressed as a percentage, calculated as:

C = Σ (A × B)∕Σ all columns [Σ (A × B)] × 100 where:

A = Goal weighting (expressed as a percentage) B = Relationship to objective (1 to 5)

The sums for each column are added together to get a total weighting; the sum for each column is divided into this total to derive its relative weighting (in this example, 4 percent).

This gave each strategic objective a weighting. This weighting was then com- pared to that of every other strategic objective to arrive at a percentage of the total weighting. This kept the weightings constant in relative terms.

The objectives were then transposed to another table where they formed the vertical axis, then sorted by their percentage of the total objective weighting, with


the highest weightings at the top. This allowed the group to select high, medium, or low weightings for each strategic objective. This categorization would be carried on to the next step, risk identification.

Step 2: Identify Key Risk Elements

Using a risk category checklist (a list of categories of potential risks covering all possible types of risk—e.g., financial, political, partner), the workshop group, with assistance from a number of subject matter experts, including branch managers, created a list of risks that could impact the achievement of the strategic objectives.

Step 3: Score Risk Elements

The risks agreed on by the group were then placed across the top of a table with the strategic objectives listed vertically along the left side. Directly below each risk was a measure of likelihood of the risk occurring (again on a 1 to 5 scale). The likelihood score was agreed on by the subject matter experts. The team then scored each risk to each strategic objective, again on a 1 to 5 scale. This provided two outputs: the scoring of risks and the risk weighting of each strategic objective. A sample of this table is shown in Exhibit 15.5.

The risk scores were calculated as:

Σ (D × E × F)


D = Strategic objective weighting (1 for low, 3 for medium, 5 for high) E = Risk impact on objective (1 to 5) F = Risk likelihood (from top of column) (1 to 5)

These were summed vertically for each risk. The risk weighting of each strategic objective was calculated using the same

formula but summed horizontally for each strategic objective. The risks were then transposed onto a data table with their likelihood and their

weighted impact score (the sum of each D × E calculation for each cell in the col- umn). This provided the basis for the risk register and the heat map.

At this point, several graphs can be created to show the relative nature of the risks and the strategic objectives. From a risk-based perspective, a heat map can be created showing the risks with the highest likelihood and weighted impact score. The more strategic objectives a risk can affect, the greater is the weighted impact score for that risk. For strategic objectives, a graph can be produced to show the strategic objectives most impacted by risk. The more risks affecting a strategic objective, and with greater impacts, the greater that objective’s weighted risk score.

Step 4: Link Programs, Initiatives, and Risks

The next list required was that of the existing programs currently in place to ful- fill the strategic objectives. For the ease of the workshop, it was decided to use

290 Implementing Enterprise Risk Management

Exhibit 15.5 Relationship between Risks and Strategic Objectives Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.

the list of programs shown in the annual operating budget. Other program lev- els could have been used, such as that used in the city’s results-based budgeting (RBB) initiative. This initiative divided budget-level programs into smaller com- ponents, which would be easier to change but increased the number of programs tenfold. It was for this reason the RBB-level program list was rejected; the number of programs in that initiative was exceedingly high.

Once a program level was agreed on, a new table was created, with the pro- grams across the top and the strategic objectives down the left side. On this table, the subject matter experts scored the impact of the relationship between each pro- gram and each strategic objective (on a 1 to 5 scale). In addition, the participants estimated the effectiveness of each program (i.e., whether it fulfilled the require- ments of the program), again on a 1 to 5 scale, with 5 meaning the program was performing as required and 1 meaning the program’s performance was well below what was required. The difference between what was required of the program and its actual performance (i.e., 5 minus the effectiveness score) was known as the strategic gap. An excerpt from this table can be found in Exhibit 15.6.


Exhibit 15.6 Linkages between Strategy and Programs Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.

At this point a new graph could be created, with a vertical bar for each strategic objective and its cumulative program requirements. Adding the cumulative effec- tiveness and cumulative strategic gap gave a stacked bar graph whose height was its cumulative program requirement. The bigger the objective, the more programs it had and therefore the higher cumulative program requirements (and likely a proportionally large strategic gap).

The last dimension in step 4 was to list new initiatives the City planned to implement, and rate their importance to each strategic objective. For the purposes of the workshop, it was decided to limit the list to those in the Implementation Plan for each Ways document. Within this set of possibilities, only the initiatives coded as “will do” (not “already done,” “already doing,” “could do,” or “aspire to

292 Implementing Enterprise Risk Management


4 4





5 52 1

2 22 1

1 11 3

1 11 4

4 41 3




2 2








1 1





5 4

33 3


1 4





1 12

3 43

1 31


Exhibit 15.7 Linkages between Strategy and Initiatives Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.

do”) were used for the initiatives list, to keep it to a manageable size. With this list scored by each strategic objective on a 1 to 5 scale, a graph could be produced showing the cumulative impact of future initiatives on each strategic objective. A table linking initiatives to strategy is found in Exhibit 15.7.

With the strategic gap and initiatives impact established, the two graphs for each objective could be combined on one graph to show the cumulative strategic gap and cumulative initiative impact for each strategic objective. If resources were properly allocated, one would expect to see a correlation between the height of the strategic gap bar and the height of the cumulative initiative impact point for each objective. For viewing purposes, it was necessary to use different scales for each data series, to best show the correlation. Finally, the risk weighting for each strate- gic objective could be added to the graph. This showed the relative risks associated with each strategic objective in relation to its required programs and initiatives.


Exhibit 15.8 Strategic Objectives—Risk, Strategic Gap, and Impact of Initiatives Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.

Overall, a correlation between risk, strategic gap, and initiatives may be observed. For objectives whose risks do not correlate with strategic gap and initiatives, this forms the basis of discussion for the objective; in-depth analysis shows the types of risks, whether they are caused by or independent of the programs comprising the strategic gap, and whether future initiatives address the risks, either directly or indirectly. The graph showing risk, strategic gap, and impact of initiatives on strategic objectives is found in Exhibit 15.8.

Step 5: Determine Indicators and Mitigation Actions

The final step involved completion of a risk indicator worksheet for each risk/ strategic objective combination. This sheet required the user to list potential mitiga- tion strategies, including required lead time, as well as indicators of inputs, actions, or outputs that would signal the potential onset of a risk event. The worksheet data were then summarized in a database indicating strategic objective, risk, mitigation, lead time, and whether the organization is already undertaking the mitigation. The database could then be grouped by objective, risk, or mitigation as needed.

On completion of the mitigation database, the final risk scorecard could be completed. This was a table showing strategic objectives on the left and risks across the top. For each data point, the impact of the risk on that objective was indicated, as was its performance (good, fair, or poor shown as medium gray, light gray, dark gray), and showed the risk level for each objective (the level of potential risk of the risk element impacting this strategic objective).

This provided a basis of discussion to identify key risks affecting strategic objectives.

294 Implementing Enterprise Risk Management

SELECTING AN ERM FRAMEWORK At the end of the second pilot, each department involved (Transportation Services for The Way We Move and Community Services for The Way We Live) was consulted to provide feedback on the process. As a result of the consultations it was decided to componentize the pm2 model, as some aspects were seen to add more value than others. In addition, the model as a whole was found to provide levels of complexity that, while useful, might preclude its successful implementation. Each individual component could then be compared with other frameworks.

During this time, staff from the Edmonton Police Service (EPS) met with the Financial Services staff and presented its ERM process, based on the ISO 31000 framework. By provincial law, EPS maintains a separate command structure, reporting to the City Council through the Edmonton Police Commission. Inde- pendently, the EPS had, over a span of five years, evolved a mature ERM process based on in-depth performance measurement tools and impetus from the Police Commission to proactively identify and treat its risks. The EPS felt at this time that it could offer to share its ERM model with other city departments on an operational level. This provided an incentive for the Financial Services department to compare the pm2 model with the ISO 31000 framework to determine a best solution going forward. A diagram of the ISO 31000 ERM process is found in Exhibit 15.9.

Comparison of pm2 and ISO 31000 Frameworks

After two pilots of the pm2 framework (with The Way We Move and The Way We Live), the ERM team evaluated the pilots to provide recommendations for strategic

Establish Context

Identify Risks

Analyze Risks

Evaluate Risks

Treat Risks

Risk Assessment

M on

ito r

an d

R ev

ie w

C om

m un

ic at

e an

d C

on su


Exhibit 15.9 ISO 31000 Enterprise Risk Management Process Chart Source: Based on CAN/CSA-ISO 31000-10, Risk Management—Principles and Guidelines, International Standards Organization/Canadian Standards Association, 2009.



PROS PROS Strong weighting method Simpler to implement

Includes programs and initiatives Robust global standard

Powerful tool Required for Enviso

CONS CONS Part of a larger process No programs and initiatives

Complex—hard to implement No direct tie to other processes

Mitigation process hard to implement

Exhibit 15.10 Comparison—pm2 Risk Scorecard versus ISO 31000 Model

ERM going forward. Elements were taken from ISO 31000 and the pilot project. A comparison of the two frameworks is found in Exhibit 15.10.

RECOMMENDED STRATEGIC ERM MODEL After reviewing the results from the two pm2 pilots, the ERM team consulted with the subject matter experts from both operating departments involved in the Risk Scorecard workshops. The participants saw the logic in the model and had a good understanding of what was required in the workshop. They also provided valuable feedback on the usefulness of each section of the model.

All participants regarded step 1, the linking of goals and strategic objectives, as a strength; in fact, it was believed that this methodology would add value to other processes as well, such as results-based budgeting. Steps 2 and 3, identifying and scoring risks, would be core processes for any risk model. Step 4, linking pro- grams, initiatives, and risks, was regarded as powerful but potentially confusing to branch managers and, as a result, might not add the expected value to the process. Moreover, linking programs and initiatives may have also been done with other processes, making this a duplication of effort. Finally, step 5, while necessary to the ERM process, was considered to be excessively complex and time-consuming. A simpler process for determining mitigations and following up was needed. From discussions with EPS and other research regarding ISO 31000, it was determined that the ISO 31000 framework held the key to a simpler risk mitigation and review process. It was also superior to the Risk Scorecard model in that it focused on miti- gation at the risk level, rather than the strategic objective level, and did not require a separate worksheet for each risk/objective combination. Finally, because several city branches were certified to the ISO 14001 (Environmental Management) stan- dard under Edmonton’s Enviso program, it was noted that upcoming recertifica- tions would require risk assessment conforming to the ISO 31000 standard.

The final recommended strategic ERM model for the City of Edmonton con- sisted of four steps, and is shown in Exhibit 15.11.

Step 1 (Weight Goals and Objectives), step 2 (Identify Risks), and step 3 (Assess Risks) are the same as steps 1 to 3 in the pm2 Risk Scorecard model. Step 4, however, is based on the “Evaluate Risks” and “Treat Risks” sections of the ISO 31000 RM

• Id

en tif

y ris

ks to

s tr

at eg

ic o

bj ec

tiv es

( fr

om th

e W

ay s

pl an

s) u

si ng

r is


un iv

er se

c he

ck lis


• D

et er

m in

e lik

el ih

oo d

an d

im pa

ct o

f r is

ks to

s tr

at eg

ic o

bj ec

tiv es

• P

rio rit

iz e

ris ks

b y

w ei

gh tin

g (li

ke lih

oo d

x im

pa ct

x w

ei gh

tin g)

• D

et er

m in

e ap

pr op

ria te

a ct

io ns

, a ss

ig n

to r

is k

ow ne

rs , a

nd fo

llo w

u p


W ei

gh t


oa ls

a nd


bj ec

tiv es


Id en

tif y


is ks


A ss

es s


is ks


D et

er m

in e


iti ga

tio ns


R ev

ie w



U pd

at e

• Id

en tif

y lin

ka ge

s be

tw ee

n go

al s

an d

ob je

ct iv


• G

oa ls

fr om

T he

W ay

s •

O bj

ec tiv

es fr

om T

he W

ay s

E xh

ib it

15 .1

1 T

he C

it y

of E

d m

on to

n’ s

Pr op

os ed


31 00

0– B

as ed

St ra

te gi

c R

is k

M an

ag em

en tF

ra m

ew or




(risk management) standard. In Step 4, the risks are transposed onto a risk reg- ister, where each row contains the necessary information for that risk: category, description, likelihood score, weighted impact score, weighted risk score, risk rat- ing, risk acceptance, summary comments, current mitigations, future mitigations, risk owner, status update, and update interval.

An example of the proposed risk register is found in Exhibit 15.12.

LESSONS LEARNED Several lessons were learned in terms of (1) key success factors and (2) the process of selecting and implementing a framework. The findings from these two cate- gories are shown next.

Key Success Factors

Buy-In by Senior Management Edmonton’s Corporate Leadership Team (CLT, comprised of the city manager and the general manager of each department) has supported the concept of ERM. At a senior management level, staff must be able to perceive the value added by ERM. This makes design of an appropriate ERM process, which can show value to man- agement, critical to its success. An example of the value proposition is found in Exhibit 15.13.

In general, the process must have two properties: it must be simple and it must show the value of doing it.

A critical balance must be struck between model power (i.e., how much infor- mation it provides) and user-friendliness. A model can provide large amounts of information but will not be helpful if it is too complex to be understood or too time- consuming to be considered worthwhile by the users. Conversely, a model that is too simple will not be helpful, as it will lack the relevance to achieve buy-in.

The pm2 model consists of a number of simple steps performed in sequence to produce powerful results. These results include comparisons of risk, effectiveness of current programs, and the impact of future initiatives on achievement of strate- gic objectives. The challenge for the ERM team is to show the simplicity of the steps in the model to leaders, to ensure their understanding of the concept and buy-in to the model. Concerns have been voiced by department staff that the model, as followed in the pilot Risk Scorecard workshop, may include steps deemed too com- plex by branch managers. If necessary, some steps can be removed, and the model stripped to its risk analysis component if other levels of analysis are deemed not to add value to management, without losing the robustness of the model.

Whatever model is used, it must be customizable to the city’s circumstances. For example, if branch managers believe a process to be too time-consuming or too difficult, it must be shortened and simplified to overcome this concern. Conversely, if the model is considered too simplistic to add value, rigor must be added to the model to show the value added and to show the time spent to be worthwhile.

Culture of Innovation (Risk-Smart) In addition to buy-in from senior leadership, ERM also requires a culture of innovation, where new ideas are embraced and failure is tolerated. At a senior

E xh

ib it

15 .1

2 Sa

m pl

e Pr

op os

ed R

is k

R eg

is te


C u

rr en

t R

is k

C u

rr en

t R

is k

R is

k A

cc ep

te d

? M

it ig

at io

n Fu

tu re

M it

ig at

io n

R is

k U

p d

at e

C at

eg or

y R

is k

E le

m en

t R

at in

g (Y

/N )

S u

m m

ar y

C om

m en

ts A

ct io

n s

A ct

io n

s O

w n

er S

ta tu

s U

p d

at e

R eq

u ir


E co

no m

ic E

co no

m ic

sl ow

d ow

n re

su lt

s in

in cr

ea se

d d

em an

d s

on So

ci al

Su pp

or ts

M ed

iu m

N o

S tr

at eg

ic O

u tc

om es

: H

ig he

r d

em an

d s

ar e

pl ac

ed on

ex is

ti ng

pr og

ra m

s, re

su lt

in g

in re

d uc

ed ov

er al

ls er

vi ce

le ve

ls R

is k

N ot

A cc

ep ta

b le

: E

co no

m ic

sl ow

d ow

n w

ill re

qu ir

e th

e C

it y

to pr

io ri

ti ze

pr og

ra m

s an

d re

al lo

ca te

re so

ur ce

s to

pr ov

id e

so ci

al se

rv ic

es in

th e

m os

t ef

fe ct

iv e

m an

ne r

D ev

is e

sc al

ab le

pl an

fo r

pr og

ra m

pr io

ri ti

za ti




co no

m ic

co nd

it io

ns ar

e m

on it

or ed

co ns

ta nt

ly no d

ow nt

ur n

d et

ec te

d to

d at

e (4

O ct

.1 3)

6 M

on th




Enterprise Risk Management

Better Information

Quality Decisions

Enhanced Performance

More Value for Citizens

Exhibit 15.13 The ERM Value Proposition Source: Integrated Risk Management “Building Bridges: City of Winipeg, Audit Department”, February 2009.

management level, the Transforming Edmonton Committee (TEC) is responsible for overseeing strategic planning and successful achievement of the city’s strategic goals under The Way Ahead. Ensuring that the TEC understands the relationship between strategy, ERM, and performance measurement (PM) is key to successful ERM implementation.

Governments have traditionally been regarded as risk-averse, as political opponents would pounce on any perceived error by the government. To enable a culture of innovation, however, the organization must move from a risk-averse view to a risk-aware view, in which it openly recognizes the risks it faces. Finally, as the organization fully embraces its culture of innovation, it must move from a risk-aware view to a risk-smart view, where risks are embraced, well-managed, and mined for opportunities.

Consistency of Model across the Ways The ERM Program Manager, as facilitator of the workshops, must ensure that con- sistent standards are maintained in weighting objectives, defining risks, and deter- mining mitigations and feedback.

A strength of the pm2 model is its robustness. This robustness stems from the model’s system of weighting of strategic goals and objectives. Even if a future City Council drastically changed the prioritization of the goals, the model would auto- matically adjust for this change and update the risk register and other outputs accordingly. Other models would require an in-depth review of each risk in light of such a change.

This weighting system for goals and objectives can potentially be carried over to other management processes as well. For example, the results-based budgeting (RBB) model currently being tested by the City also has a weighting system for city programs to prioritize them. In addition, performance measures can be simi- larly prioritized to determine which ones carry the highest priority and therefore warrant the most scrutiny.

Another strength of the pm2 model is that it does not differentiate between operating and capital items. Often a strategic objective has both a capital and an operating component (e.g., construction of a new recreation center and staffing and maintaining it afterward), which are dealt with in separate operating and capital budget cycles.

Resource Requirements on Department Subject Matter Experts Each step in the ERM framework requires input at a senior management level in each operating department. Cumulatively these time requirements can be mate- rial for senior management already dealing with the resource constraints of their regular duties. The challenge for the ERM and other models is to minimize the time required of city staff to avoid push-back from project fatigue, which would impact the success of the ERM program.

300 Implementing Enterprise Risk Management

Department Accountability for Key Risks When key risks are identified, the department in question must take ownership of the model and assign key risks to designated risk owners. These individuals will be responsible for devising and implementing mitigation strategies and reporting results at appropriate intervals.

Findings on the Process of Selecting and Implementing a Framework

Implementing an ERM framework typically takes longer than expected. More time seems to be spent getting buy-in for the concept from the C-suite and devising an appropriate model than one could ever predict. Rarely do off-the-shelf frameworks exist that can be employed in short order; plans usually have to be tailored to fit the organization’s unique circumstances. Some of Edmonton’s learnings from this ERM implementation include the following.

There is no perfect system. What works for one organization may not work for another. What is necessary is flexibility. Any system must be simple enough to understand, robust enough to be usable in any area of the organization, and pow- erful enough to add value in decision making. In addition, it may be preferable to create a hybrid approach, taking the best parts of two or more competing systems to create one that best meets the organization’s needs.

No matter how good an ERM framework is, if senior leadership does not buy in to the framework, it cannot succeed, as management will need to see the use- fulness and cost justification. Three frameworks were presented to senior leader- ship between 2005 and 2013; all were sound and based on extensive research and knowledge of risk management principles. All were found by senior leadership to be either too complex or not a fit to Edmonton’s needs.

It may be problematic to try to roll out an entire system at once. In the ini- tial ERM planning phases there seems to be a tendency to try to hit a home run; that is, to roll out a perfect ERM system at strategic, project, and operating levels all at once. It may be the most efficient in theory, but in practice it requires a pro- hibitive amount of up-front resources. It ignores the learning curve managers have in learning about ERM, how it applies to them, and how to do it. This leads to the next point.

It may be preferable to introduce one phase of ERM at a time. In Edmonton’s case, previous attempts at an ERM framework were unsuccessful because they went against the stated wishes of the Corporate Leadership Team (CLT). One of the CLT’s main drivers for action on ERM was the 2005 city auditor’s report, which identified issues mainly with strategic risk. With this in mind, the CLT wanted primarily to focus just on strategic risk, not on an overall framework. In terms of a corporate rollout, then, phase 1 was to be strategic risk; project risk and operational risk could be dealt with later, as these were lower priorities for the CLT and the city auditor.

When working with operating departments on a framework (even a pilot), it is important to define clearly what you want to accomplish with the operating departments in question. In this case, it was clearly defined that the department owned the risk register and was responsible for its content; the ERM team’s role was to maintain it. Going forward, the ERM team’s role was also that of facilitator, coach, and mentor to the department staff.


CONCLUSION At time of writing, the recommended strategic ERM model was being fine-tuned for the remaining Ways documents, pending feedback from the teams involved in the two pilot Risk Scorecards.

In the longer term, the ERM Program Manager recommended further consol- idation of the ERM model by ensuring links to project risk management, and by harmonizing operations’ risk management practices with the ISO 31000 risk man- agement standard, to provide consistent risk management methods to all areas, many of which are already practicing ERM, but using different formats.

Finally, the process of ERM needs to be tied to the process of performance measurement going forward. As strategic performance measures are created or amended, the risks to achieving them need to be identified at the same time, to provide the most efficient and effective means of ensuring that the measures of success can be achieved.

APPENDIX: SUMMARY OF THE WAY AHEAD, EDMONTON’S STRATEGIC PLAN The City of Edmonton developed a strategic plan in 2008 called The Way Ahead. It contains:

� A 30-year citizen-built City vision, describing Edmonton’s future � Six 10-year strategic goals: Transform Edmonton’s Urban Form; Shift

Edmonton’s Transportation Mode; Improve Edmonton’s Livability; Pre- serve and Sustain Edmonton’s Environment; Ensure Edmonton’s Financial Sustainability; and Diversify Edmonton’s Economy

� Corporate outcomes, performance measures, and targets

The Way Ahead was developed using the principles of integration, sustainabil- ity, livability, and innovation. It was built on a strong base of programs and services that already exist.

The Way Ahead has provided a foundation for prioritization and decision mak- ing. Since 2008, continual improvement has been made to the plan.

To better understand and measure how Edmonton is advancing the vision and 10-year goals, corporate outcomes for all six 10-year goals and performance mea- sures for five of the six goals were developed in 2010. Performance measure targets for three of the six goals were approved in 2011. The Way Ahead was updated in 2011 to reflect this progress.

Over the past five years, the city has developed several directional plans to help achieve The Way Ahead.

Directional plans, referred to as the Ways plans, have been established to focus the city’s work in both the achievement of the 10-year strategic goals and in deliver- ing existing services to citizens. Accompanying Ways implementation plans were also developed to outline specific initiatives and actions that contribute signifi- cantly to the achievement of the Ways plans. The following chart shows each of the plans and when they were created.

302 Implementing Enterprise Risk Management

Directional Plans Implementation Plans

� The Way We Grow: Municipal Development Plan (2010)

� The Way We Move: Transportation Master Plan (2009)

� The Way We Live: Edmonton’s People Plan (2010)

� The Way We Green: Edmonton’s Environmental Strategic Plan (2011)

� The Way We Finance: Edmonton’s Financial Sustainability Plan (under development)

� The Way We Prosper: Economic Development Plan (2013)

� The Way We Grow Implementation Plan (2013 to Council)

� The Way We Move Implementation Plan (2012)

� The Way We Live Implementation Plan (2012)

� The Way We Green Implementation Plan (2013 to Council)

� The Way We Prosper Implementation Plan (under development)

In addition, the city is taking a results-based approach to aligning resources with the vision and 10-year strategic goals. Results-based budgeting is about emphasizing performance and accountability.

The following chart shows the alignment between The Way Ahead, Ways plans, and operational planning.


QUESTIONS 1. What other strategic processes are closely tied to ERM? 2. What three kinds of risks are identified within the City of Edmonton? 3. What two criteria must be balanced in a successful ERM model? 4. Who is responsible for dealing with and mitigating risks? 5. To what body must the City’s strategic risks be reported?

NOTES 1. Chris Hadfield, An Astronaut’s Guide to Life on Earth (Toronto: Random House Canada,

2013). 2. Conference Board of Canada, “Economic Insights into 13 Canadian Metropolitan

Economies,” August 20, 2013. 3. City of Edmonton, “Economic Insights, Economic Outlook 2012–2013,” October 26, 2012. 4. City of Edmonton, Corporate Services, Human Resources Branch, HR Research, Statistics

& Reporting Group, November 25, 2013. 5. City Auditor Report, “ERM Corporate Business Risk Planning,” August 25, 2005. 6. Ibid.

ABOUT THE CONTRIBUTOR Ken Baker is ERM Program Manager for the City of Edmonton. He is responsible for developing and implementing a strategic ERM model for the city. In addition to strategic risk, he also liaises with other areas of risk management within Edmon- ton to find areas of commonality, to assist with project risk management, and to investigate standardization of operational risk management among city depart- ments. Finally, he acts as mentor and subject matter expert for areas requesting ERM expertise, as well as implementation of risk management into other business planning models such as operating budgets, operating business plans, and capital plans.

Ken is a Certified Management Accountant (Alberta) and serves on the Finance Committee of the Risk and Insurance Management Society (RIMS). Prior to his work with the City of Edmonton, he was Controller at the Alberta Urban Munic- ipalities Association, where ERM development was included in his mandate. He also held a number of accounting positions in Canada and Sweden. Ken has a bach- elor of commerce degree from the University of Alberta School of Business.


Leveraging ERM to Practice Strategic Risk Management JOHN BUGALLA Managing Principal, ermINSIGHTS

JAMES KALLMAN Assistant Professor, St. Edward’s University

Enterprise risk management (ERM) emerged more than 15 years ago as anall-encompassing alternative to the then traditional fragmented approachto risk management. This previous disjointed style is sometimes referred to as managing individual risks in stand-alone silos or stovepipes. Risk management practitioners started to flesh out and test the theory. Early practical applications took the form of integrated risk programs that combined selected hazard risks and financial risks.1

As the ERM process was debated and matured, practitioners started to include operational risks within their portfolio. Risk registers emerged that organized the various identified risks into categories that now included hazard, financial, and operational risks. Hazard risk examples include fires, lawsuits, and strikes. Financial risk examples include commodity price volatility, inflation, and currency exchange rate fluctuations. Operational risk examples include process disruptions, compliance failures, and technology breakdowns.2

ERM practitioners began encountering internal organizational push-back because the process was inappropriately seen as (1) reactionary and (2) an unneces- sary expansion of audit and compliance. Peter Drucker once stated, “The purpose of business is to create and keep a customer.”3 Recognizing the corporate imper- ative to grow the business, proponents of ERM postulated that they could indeed bring new utility to the process by aligning with, and supporting, corporate busi- ness goals, rather than just focusing on the downside of risk management. The methodology utilized to integrate ERM into alignment and support of overall busi- ness goals is to incorporate the ERM process into longer-range strategic planning and annual business plans. ERM practitioners added another new risk category to their portfolio: strategic risks. Strategic risk examples include social, technological, economic, environmental, and political situations that are much broader in scope and longer in impact. The expanded risk portfolio is far more vibrant because it inserts the ERM process into the growth side of the business. ERM moves from


306 Implementing Enterprise Risk Management

supporting only a defensive function to include a more balanced approach that supports growing the business.

The original vision of ERM as an all-encompassing alternative to traditional risk management expands if executive management utilizes the ERM process to support improved decision making to both protect and grow the business. Practic- ing strategic risk management requires risk-adjusted decision making.4 However, leveraging ERM to practice strategic risk management depends on executing on three different, but related, variables:

1. Executive managements’ willingness to reexamine the purpose of ERM— away from purely control and compliance to a strategic function

2. Positioning and leveraging ERM within the organization to support longer- range strategic planning and annual operational business goals

3. Making risk-adjusted decisions and practicing strategic risk management by utilizing new tools and techniques to measure the value created or pro- tected by adopting the ERM process

ERM: A REEXAMINATION OF PURPOSE Metaphorically, ERM can be compared to a tree5 with branches growing in vari- ous directions. The enterprise risk management process has emerged from its fun- damental risk management roots: preserving assets, protecting people, and com- plying with laws and regulations. The ERM tree developed several new branches growing in multiple directions during its initial growth period.

A standard ERM framework does not yet exist. After more than a decade of evolution, the various different national standards or artificially created frame- works and differing lexicons for marketing and commercial purposes that had existed have been reduced to two.6 There is the framework developed by the Committee of Sponsoring Organizations (COSO) and the framework and lexi- con developed by the International Organization for Standardization (ISO). These two different frameworks have different DNA. The COSO sponsoring organiza- tions are (1) the American Accounting Association, (2) the American Institute of CPAs, (3) Financial Executives International, (4) the Association of Accountants and Financial Professionals in Business, and (5) the Institute of Internal Auditors. COSO’s DNA is the financial reporting scandals of the early twenty-first century. ISO 31000:2009 is designed to be the standard principles and guidelines; it pro- vides principles, framework, and a process for managing risk. However, actual risk management practice by a cross section of organizations indicates that hybrid frameworks are being utilized because some organizations reject strict adherence to either of the two self-proclaimed standards.7 The hybrid idea is that the best parts of both frameworks produce a more customized model that better serves the needs of an organization, such as providing a unique competitive advantage. There also is still considerable confusion over the purpose of ERM. Some organizations view ERM as a strategic function, while others still see ERM as only a control and compliance function.

Another reason ERM has lacked a uniform standard is the way commercial firms sell ERM. The marketing of ERM by professional services firms mirrors the services and product offerings that are the core business services of those firms. For


example, accounting and audit firms view ERM through the lens of audit, compli- ance, and control, whereas insurance brokers see ERM through the supply chain lens that leads them to a range of insurance-based products. Financial institutions, such as banks, see ERM as a methodology to comply with laws and regulations. And consulting firms focus on utilizing ERM in strategy and organizational struc- ture. Additional branches on the ERM tree have been created by other specialties such as information technology (IT), business continuity, and crisis management.

The shape of ERM within organizations is largely dependent upon which branch of the ERM tree it emerged from. The practice of ERM will be biased toward the partisan internal forces claiming ownership of the process. For exam- ple, accounting firms may place compliance at the top of the tree. In contrast, insur- ers put financial outcomes and statutory regulatory requirements at the top, sub- jugating all other actions to creating economic value. As another example, utilities place reliability at the pinnacle of the ERM tree, knowing that is their core mission.

The lowest branch on the tree closest to the base represents the earliest forms of ERM. They were called ERM programs in the financial press, but were in actuality integrated risk programs. One such program that received a great deal of attention in the financial press in the late 1990s was the United Grain Growers (UGG) ERM program.8 The fruit of this branch was creative financing of historically heteroge- neous risk categories into new blended programs (i.e., volume risk combined with hazard risks). Creative financing came from aggregating these different kinds of risks into a blended multiyear basket, sometimes coupled with an exotic trigger.

Two additional limbs appeared in quick succession in 2001 and 2002. In the wake of 9/11, the business continuity planning branch emerged with a focus on disaster preparedness and emergency response planning. A renewed empha- sis on physical security and system redundancy was accompanied by terrorism risk assessments, modeling of man-made disasters, and the passage of the Ter- rorism Risk and Insurance Act (TRIA).9 IT departments and asset managers led the way in nurturing these branches. Another compliance-related branch grew out of the Enron implosion and other issues of corporate fraud. These fiduciary breaches led ultimately to the Sarbanes-Oxley Act,10 the creation of the COSO ERM Framework,11 and passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act.12

Yet another branch in the compliance and audit family that emerged over the past few years is called governance, risk, and compliance (GRC). This branch focuses on blending the ERM approach to include corporate governance and risk management requirements from entities such as the New York Stock Exchange. This branch gains its support from audit firms and information technology providers.

As the United States embraces the general concept of sustainability, a new ERM branch has grown to include the green movement. One such branch includes John Elkington’s concept of the triple bottom lines of profit, people, and planet.13

From this perspective, ERM is seen as being more holistic about the risks faced by businesses in executing their strategies. In addition to managing variation in a business’s economic performance, this ERM approach also includes assessing the impact on social justice performance and environmental stewardship. The social justice aspect requires an analysis of how risks impact stockholders, but also customers, vendors, governments, and employees. The environmental aspect has

308 Implementing Enterprise Risk Management

broadened the vocabulary of ERM. Terms like cap and trade, carbon footprint, and sustainable development have worked their way into the risk management lexicon. Company stakeholders have expanded far beyond employees, owners, and cus- tomers to encompass literally the entire world.

Several years ago another new branch started to grow where the idea was that the ERM process could support the addition of new measurable value to an orga- nization. Adherents to this philosophy view ERM as encompassing both threats and opportunities. The practitioners in this camp consider leveraging risk to take advantage of the upside of opportunities, while at the same time addressing the traditional downside of risk. While some of the opportunities identified can be transactional or product-related in nature, by and large ERM should be focused on supporting business strategies. In this way ERM can be utilized to take advantage of operating conditions by aligning business growth opportunities with agreed risk appetites and tolerances to overall organizational goals: risk-adjusted deci- sion making. Executive managements’ willingness to reexamine the purpose of ERM is the first key element toward recognizing that it is a strategic function that supports reducing the impact of adverse advents and exploiting opportunities to achieve better outcomes.

REGULATORY ENVIRONMENT The metaphoric ERM tree, like its counterpart in nature, must adapt to its environ- ment in order to thrive. The ERM tree is growing in an environment of increased regulation by various federal agencies. Reacting to the consequences of the recent Great Recession, provoked mainly by the financial crisis of 2008–2009, the two most important new (2010) regulations (at least in the United States) affecting both the growth and practice of ERM are (1) Securities and Exchange Commission (SEC) Amended Rule 33-9089,14 and (2) the Dodd-Frank Wall Street Reform and Con- sumer Protection Act.15

SEC 33-9089 clearly places the oversight of risk management with the board of directors at publicly traded companies. Dodd-Frank’s Section 165 mandates the formation of a stand-alone board-level risk committee consisting of independent directors, practicing enterprise-wide risk management, and requiring a chief risk officer (CRO) within the financial sector.

More recently (January 5, 2012), the Board of Governors of the Federal Reserve proposed “Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies.”16 Far more prescriptive and detailed mandates have been added to the original Section 165 that include:

� Board-level risk committees to be chaired by an independent director for bank holding companies over $10 billion, increasing the reach of the legis- lation to a greater number of institutions than the originally announced $50 billion

� A specific list of “Responsibilities of Risk Committee” � “Appointment of CRO” who will report directly to the chief executive officer

and board-level risk committee � A specific list of responsibilities and actions by the CRO

The proposed “Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies [R-1438],” provides not only the detailed


responsibilities of the risk committee of the board of directors, but insights into just how deep the Federal Reserve is attempting to reach within the governance structure of publicly traded companies within the broader financial sector.

The requirement for a separate and stand-alone risk committee of the board of directors with a CRO, reporting directly to the risk committee and the CEO, indi- cates the high level of importance the Federal Reserve is giving to the implementa- tion and administration of enterprise-wide risk management. Tearing down indi- vidual internal risk silos that inhibit collaboration and communication across the enterprise about identified risks and intelligence about emerging risks and oppor- tunities should be a priority on the risk management agenda.

� “[T]he board proposes that covered company and over $10 billion bank hold- ing company risk committee must be chaired by an independent director. The board views the active involvement of independent directors as vital to robust oversight of risk management and encourages companies gener- ally to include additional independent directors as members of their risk committees.”17

� “Specifically, the Board believes that best practices for covered companies require a risk committee that reports directly to the Board and not as part of or combined with another committee.” Thus, “the proposed rule would require a covered company’s risk committee not be housed within another committee or be part of a joint committee.” In addition, “the proposed rule would require a covered company’s risk committee to report directly to the covered company’s board of directors.”18

� A separate stand-alone risk committee, not a part of or combined with the existing audit committee, is a signal or reminder by the Federal Reserve that the two committees (audit and risk) have different functions and respon- sibilities. The risk committee’s responsibilities are to document and oversee the enterprise-wide risk management policies and practices of the company.

The risk committee’s agenda is:

[to review and approve] an appropriate risk management framework that is commensurate with the company’s capital structure, risk profile, com- plexity, size, and other appropriate risk-related factors. The proposed rule specifies that a company’s risk management framework must include: risk limitations appropriate to each business line of the company; appropriate policies and procedures relating to risk management governance, risk man- agement practices, and risk control infrastructure; processes and systems for identifying and reporting risks, including emerging risks; monitoring compliance with the company’s risk limit structure and policies and proce- dures relating to risk management governance, practices, and risk controls; effective and timely implementation of corrective actions; specification of management’s authority and independence to carry out risk management responsibilities; and integration of risk management and control objectives in management goals and the company’s compensation structure.19

� Appointment of a chief risk officer (CRO): “. . . in ensuring the effective implementation of a covered company’s risk management practices, the pro- posed rule would require a covered company’s CRO to report directly to the risk management committee and the chief executive officer.”20

310 Implementing Enterprise Risk Management

As the name Dodd-Frank Wall Street Reform and Consumer Protection Act states, the law is aimed at the financial sector. However, the Act provides a model, or benchmark, of sound risk management practices that could be utilized (with some modification) in all industry sectors. The Federal Reserve model could strengthen ERM’s core trunk if it does indeed become the de facto enterprise risk management standard and migrate from the financial sector to general business. The influence of the Federal Reserve cannot be understated, but adoption of its model by all publicly traded companies will take many more years without a spe- cific push from regulators in other industries.

One example of how Dodd-Frank can extend the Federal Reserve model and reach, and has now done so, is the creation of the Financial Stability Oversight Council (FSOC). This group identifies and monitors excessive risks to the U.S. financial system arising from the distress or failure of large, interconnected bank holding companies or nonbank financial companies. In July 2013, the FSOC named the first nonbank financial companies considered systemically important finan- cial institutions (SIFIs): American International Group and GE Capital. Prudential Financial, Inc. was added to the list in September 2013. These companies will now come under the supervisory standards, including examinations, established by the Board of Governors of the Federal Reserve for the first time.

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT ERM is a business management support process. For several years, proponents of ERM have been advocating incorporating the ERM process into strategic and busi- ness planning to increase its utility. Their goal is to promote risk-adjusted decision making that can better assist management in addressing the outside forces (such as political, economic, technological, legislative, social, and environmental) that will cause the variations from performance or planned outcomes that will inevitably occur over a multiyear time line. Some outside forces will inhibit success, while others will improve the operating environment. The specific purpose is to reduce the impact of adverse events and be ready to exploit emerging opportunities. The challenge is adapting the ERM process within the existing strategic and business planning methodology.

The word strategy has its roots from the Greek strategos (a compound of stratos, for an encamped army spread out over ground, and agein, to lead,21 which explains its initial definition of “the art of generalship”). Strategy can be defined as a careful plan or method for achieving a particular goal, usually over a long period of time, and the skill of making or carrying out plans to achieve a goal.22 Another defini- tion is: “A company’s strategy is a series of choices, to be effective it must remain consistent with what’s happening in its competitive environment.”23

Organizations that view the ERM process as supporting business strategies should consider positioning it where the primary goals are both to grow the busi- ness and to protect value: corporate planning (longer range) and the business units (annual). Exhibit 16.1 is a model designed by the authors that can be utilized to incorporate ERM into the strategic and annual business planning process. How- ever, before positioning can occur, the entire organization should understand the vision, mission, and purpose of ERM. This can be accomplished by creating a


Incorporating ERM into Strategic Planning Model

Longer Range

Strategic Plan

Annual Business

Plans Risk

Owners Identified

Budget Allocation

and Resources

Scenario Planning & SWOT Analysis


Risk Perception





Socio- Demographic



Internal Audit Perspective of Controls

ERM Risk


Senior Management’s

Perceived Levels of Risk

and Current

Risk Response

Risk Appetite(s) and Risk Tolerance Statement

What Risks Can We Take? How Much Risk Can We

Take? When Do We Take the Risk?

Who is Willing to Take the Risk?

Value Mapping What Are the Measurable

Benefits to Taking the Risk?

Internal Scan Risk Context

*From Francis J. Aguilar, Scanning the Business Environment (New York: Macmillan, 1967). **From Pedro C. Ribeiro, "Predictable Project Surprises: Bridging Risk-Perception Gaps," Ask Magazine, August 11, 2013.

Assessment Process Articulation

External View PESTLE*

Exhibit 16.1 Incorporating ERM into the Strategic Planning Process Used by permission of John Bugalla and James Kallman, © Copyright 2013, John Bugalla and James Kallman.

formal ERM charter. The ERM charter serves as an internal blueprint for both exec- utive leadership and middle management to follow. The optimal time to create the charter is in the ERM planning stage, before it has been implemented. The charter will set the tone at the top for ERM in one of two directions: (1) Risk management is a strategic support function, or (2) risk management is a control function. In Exhibit 16.1 risk management is a strategic support function.

The initial step comprises three internal scan elements: (1) surveying the C- suite about leaders’ current perceptions about risks and their management, (2) sur- veying Internal Audit about their perspectives on the current level and effective- ness of risk controls, and (3) creating an ERM risk register. The surveys will enable a comparison between the current state of risk management activities and the cor- responding risk control efforts. The ERM risk register is a tool for organizing the identified risks and their internal owners.

The external view serves several purposes. It begins to incorporate the ERM process into strategic planning steps. The external view provides an opportunity to identify the outside forces that present both risks and opportunities to the organization—the two sides of the business decision coin. Coupling risks and opportunities together provides a broader and more complete view that makes for a far better assessment process and decision making. The authors have indicated some of the tools and techniques that can be utilized to complete the assessment process, including a detailed description of a new tool that is presented later in this chapter.

312 Implementing Enterprise Risk Management

If the ERM and strategic planning process have been merged, the results should be seamlessly incorporated and articulated into the longer-range strategic and annual business plans. Both plans articulate how the organization will achieve its business goals. However, neither plan provides certainty that the planned per- formance will be achieved—analogous to von Moltke’s statement “No battle plan survives contact with the enemy.”24 The goal is to reduce the impact of adverse events and exploit opportunities to achieve better outcomes around the planned performance objectives.

MANAGING AND MEASURING VALUE CREATION At the enterprise level, a risk identification and assessment exercise at a global company can develop a list of risks sometimes numbering in the hundreds. Such an expansive list of risks requires organization. One approach to organizing the list is to create a risk register. The purpose of a risk register is to sort the risks into categories, describe their characteristics, and rank them. Bringing additional order to a cumbersome risk register is a risk map—a kind of executive summary of the risk register in a pictorial format. A risk map is a graphical snapshot of the key identified risks—usually the top 10 risks. Including all the risks identified on a risk map would render it indecipherable.

The key question practitioners should be asking about these tools is: Who ben- efits from the time-consuming and expensive exercise of creating a risk register that sometimes contains hundreds of risks, and the associated risk map? If the benefit is limited to a single function, that suggests a limited and narrow purpose of the organization’s risk management program.

Traditional risk maps are insufficient for many reasons. One key shortfall is that traditional risk maps do not properly plot risks. The common objective defi- nition of risk in risk management, finance, and statistics—”the variation from an expected outcome over time”25—includes three parameters. Traditional risk maps plot only two variables that make up the expected outcome: (1) the probability of an event and (2) the value of that loss. Rarely do they plot gains. But conspicuously missing from traditional risk maps are variation and time. All four variables must be plotted in order to provide complete information about the risks.

RISK MANAGEMENT FAULT LINE Being in business, however, is about taking risks. Examples include expanding new product lines, investing in research and development, looking for mergers and acquisitions, and exploring geographical expansion. Organizations undertake these and other activities to grow the business. All involve taking risks. None are guaranteed successes. Managing the threats associated with taking risk is required (traditional risk management), but so should identifying and assessing the upside gain of the opportunities associated with taking those risks (speculative risk man- agement). Measuring both the downside and the upside of risk taking in terms of a metric that is meaningful to the organization, such as earnings per share for a publicly traded company, provides a context that can be utilized to determine the type and amount of the resources needed to support the favorable outcomes as projected by the strategic planners and executive management. An additional


benefit is that, by analyzing the range of possible outcomes against what was actu- ally achieved, executive management may also gain insights into individual oper- ational performance capabilities.

Identifying and assessing both risks and opportunities simultaneously might seem obvious, but it is atypical—at least in the first decade of the twenty-first cen- tury. One reason is that the two most widely utilized tools and techniques cur- rently employed during the ERM risk identification and assessment process are a risk register and a risk heat map. They received their monikers for a reason. The focus of both is the perceived threats to an organization. There is no consideration of the value that could be created by taking on risks.

Academics have now spent many years researching the benefits of risk regis- ters and risk maps.26 While it is undeniable that risk registers and risk maps do have value, our research and analysis conclude the following:

� If the organizational goal is to respond only to known, identified risks, and the ERM process is viewed as an extension of audit and compliance, then risk registers and traditional risk maps can be useful.

� If the organizational goal is to respond to known threats (risks) and opportu- nities, and also to gain risk intelligence about emerging risks on the horizon, a traditional risk register and risk map fall short. This is because they fail to show both the upside of risk and the relationships between events and volatility.

� If the organizational goal is to grow the business and create value for stake- holders, a traditional risk map is useless. Again, this is because risk maps fail to enable executives to see the upside of taking risks and relationships between risks, and fail to show trends.

� A new tool is required to measure both risks and opportunities—which we call a “value map.”27

VALUE MAPS A value map is a graphical illustration of both threats and opportunities. Because threats and opportunities are two sides of the same coin, a value map also has two sides, as illustrated. Reference points have been added for valuation and measur- ing variation from the expected outcome. Threats are plotted on the left side of the map while opportunities are located on the right side. Rather than plotting a single point on a risk map, the value map illustrates the range of the magnitude of each threat and the potential gain of each opportunity. This is an important consider- ation because operational conditions during the year or years are not stagnant. A value map can also plot the time duration of risks. Some risky events occur and last for only a short period—perhaps a matter of days. Others have long tails and last for many years. Some long-lasting risks can have significant strategic importance. A value map can also plot correlations between risks. Some volatile situations are highly associated with others. For example, the threat of a patent lawsuit may have a strong link to a consequential decrease in revenues. A weather-related catastro- phe may be highly correlated with the chance of personnel being injured, prop- erty damage, business interruption expenses, crisis management, and perhaps a

314 Implementing Enterprise Risk Management

Outcome Values Negative Outcomes Positive Outcomes

O u

tc o

m e

Li ke

lih o

o d

H ig

h P

ro ba

bi lit

y Lo

w P

ro ba

bi lit


Exhibit 16.2 Value Map Outcomes

declining stock price. These associations can be shown on the value map so senior management is fully aware of the total consequences of an event.

Exhibits 16.2 through 16.4 show how a value map differs from traditional heat maps. Exhibit 16.2 shows that the outcomes from a volatile situation are not neces- sarily negative. In fact, organizations take on risky projects in order to create value. The value map provides cells to record both negative and positive outcomes of business situations. These events may be investments in new products, operating a factory, or providing a customer service.

Exhibit 16.3 plots two risks in their current state. That is, the ellipses show the expected outcomes (the center of the ellipses) as well as the spread of possible outcomes. On the vertical axis, the range of possible probabilities is shown; on the horizontal axis, the range of possible values is shown. This mapping differs significantly from traditional heat maps in that for the first time the variation (the risk) is plotted. The outcome is plotted as the Cartesian product of the event’s value (on the horizontal x-axis) and its likelihood (on the vertical y-axis). This plotting of so-called expected outcomes is typical of all traditional heat maps as well. But where value maps improve on this display is in also showing the range of both inputs. These ranges are shown as ellipses. The wider (on the x-axis) the ellipse

Outcome Values

O u

tc o

m e

L ik

el ih

o o


H ig

h P

ro ba

bi lit

y Lo

w P

ro ba

bi lit


Negative Outcomes Positive Outcomes

Risk # 2 Current State

Risk # 1 Current State

Exhibit 16.3 Value Map with Two Risks—Current State


Outcome Values

O u

tc o

m e

L ik

el ih

o o


H ig

h P

ro ba

bi lit

y Lo

w P

ro ba

bi lit


Negative Outcomes Positive Outcomes

Risk # 2 Current State

Risk # 1 Current State

Risk # 1 Previous State

Risk # 2 Previous State

Exhibit 16.4 Value Map Showing Risk Evolution

is, the greater the range of outcome values. Risk #1 in Exhibit 16.3 shows such an outcome. The taller (on the y-axis) the ellipse is, the greater the uncertainty of the outcome. Risk #2 in Exhibit 16.3 shows an example of this uncertain outcome. In contrast, a narrow and short ellipse displays an outcome that is certain in both value and probability.

Exhibit 16.4 shows how the risks are evolving over time. There are several methods to include a risk’s time dimension. In this graph, a two-period scale is used. For example, risk #1 has not changed in its possible spread of value outcomes. However, it has become much more likely in the current state. Risk #2 changed in both dimensions. Its probability range has grown, which indicates there is much less certainty in what outcome might occur. In addition, although its values have the same spread, they are all negative in the current state. Risk #2’s situation has drastically degraded. The value map in Exhibit 16.5 shows risk correlations.

ADDITIONAL TOOLS AND TECHNIQUES Making risk-adjusted decisions and practicing strategic risk management by utiliz- ing new tools and techniques to measure the value created or protected by adopt- ing the ERM process is not limited to value mapping. Risk managers now have multiple options that, depending on the potential impact to the organization and its executive management and the level of complexity, could be employed to improve


Risk #1 r = .23 Risk #2

med Risk #3

r = .85


high med low low med high

lik el

ih oo



Negative Outcome Positive Outcome

Risk #4

Exhibit 16.5 Value Map Showing Risk Correlations

316 Implementing Enterprise Risk Management

the quality of their decisions. These tools can be quite sophisticated, and might require outside experts to facilitate a specific project, especially strategic issues that could be a destiny-determining event for the CEO. One example is game theory. Especially useful in situations involving outside suppliers, competitors, and regu- lators, game theory can provide insights and recommended courses of action about the various players’ interests and options. If there are multiple players involved in complex negotiations, competitive strategy, crisis management, and public policy, game theory can be utilized to develop specific strategic and tactical options.

CONCLUSION Risk management is evolving from focusing only on the downside of risks to a far broader understanding that strategic decisions have the potential of producing both downside and upside outcomes. By employing the ERM process at the strate- gic planning level, the organization has a far greater chance of exploiting oppor- tunities that may arise during a typical multiyear planning cycle. Likewise, the organization has a greater chance of protecting organizational value when adver- sity strikes. However, to enable the organization to adopt and adapt the broader view of enterprise risk management and use the ERM process to practice strategic risk management, executive management must:

� Reexamine the purpose of ERM within the organization. � Position and leverage ERM into strategic planning to support business goals. � Utilize value maps to measure the value created or protected as a conse-

quence of practicing strategic risk management.

One way to start or reignite the ERM process within an organization is to cre- ate or redraft an ERM charter. The charter should set forth a vision, mission, and purpose of ERM within the organization as a strategic function. To ensure that all levels of management are speaking a common language when it comes to risk, greater clarity will be attained by including a definition of ERM, risk, and strate- gic management within the charter; then utilizing modern risk registers and value maps will enable executives to better achieve their strategic goals.

QUESTIONS 1. Do you believe that ERM will continue to evolve, and if so, how? 2. Do believe that risk is a two-sided coin with both upside gains and downside losses? 3. How is value measured in your organization and do you believe the ERM process can

add new value? 4. Besides risk maps and value maps, what other tools and techniques are available to man-

age risk and make risk-informed decisions?

NOTES 1. One of the first integrated risk programs to be labeled ERM was United Grain Growers.

It combined selected hazard risks such as general liability and property with a selected economic risk (grain processing volume). (See Chapter 7 of this book.)


2. Torben Juul Andersen and Peter Winther Schroder, Strategic Risk Management Practice (New York: Cambridge University Press, 2010).

3. Peter F. Drucker, 4. A good discussion of strategic risk management can be reviewed at the Risk and Insur-

ance Management Society (RIMS) website and others. For example, see resources/ERM/Pages/StrategicRiskManagement.aspx.

5. John Bugalla, Barry Franklyn, and Corey Gooch, “Climbing the ERM-Enterprise Risk Management Tree,” Risk Management, May 2010; and National Law Review,

6. The two major frameworks are ISO 31000, accepted in approximately 25 countries, and COSO, which is mainly utilized in the United States. Other frameworks include those created by AS/NZ 4360 and the Conference Board of Canada.

7. For a discussion of the benefits and disadvantages of ERM standards, there are many articles; for example, see, ments/coso_erm_executivesummary.pdf and

8. See “United Grain Growers Limited (A),” Harvard Business School Case Study 9-201- 015, June 11, 2001.

9. For the full Terrorism Risk Insurance Act of 2002 Reauthorization Act of 2013, see

10. To read the full act, Public Law 107-204-July 30, 2002, see about/laws/soa2002.pdf.

11., accessed December 8, 2013. 12., accessed December 2013. 13., accessed December 8, 2013. 14. To read the full rule see: 15. See 16. Federal Register, January 5, 2012. 17. Ibid. 18. Ibid. 19. Ibid. 20. Ibid. 21. Lawrence Freedman, Strategy: A History (NY: Oxford University Press, 2013). 22. 23. John R. Wells, 24. Helmuth von Moltke, Field Marshal, German military strategist. 25. Stephan R. Leimberg, Donald J. Riggin, Albert J. Howard, James W. Kallman, and Don-

ald L. Schmidt, The Tools & Techniques of Risk Management & Insurance, 2009 supplement (Cincinnati, OH: National Underwriter Co.), 8.

26. Examples of the benefits of risk registers and risk maps include wp-content/uploads/2012/09/Risk_register_September2012.pdf,,Cri tical_Control_Risk_Registers.docTMei=zCemUvrvG6Xr2QXEhoFITMusg=AFQjCNFWX ZqE8_kS9HA9aK9NZQskOEkpOQTMbvm=bv.57752919,d.b2I, and http://blog

27. John Bugalla and Dr. James Kallman, “How to Map Your Risks,”, February 2013.

ABOUT THE CONTRIBUTORS John Bugalla is Principal of ermINSIGHTS, an advisory and training firm spe- cializing in enterprise risk management and strategic risk management. His

318 Implementing Enterprise Risk Management

experience includes 30 years in the risk management profession serving as Manag- ing Director of Marsh & McLennan, Inc., Willis Group, Plc., and Aon Corporation before founding ermINSIGHTS. He led the Willis team that negotiated the inte- grated risk program on behalf of United Grain Growers. He is the author or coau- thor of numerous articles in diverse publications such as The Corporate Board maga- zine, CFO magazine, the National Law Review, Credit Union Management magazine, Risk Management magazine, the Journal of Risk Management in Financial Institutions, and the Journal of Risk Education.

James Kallman is Assistant Professor at St. Edward’s University, Austin where he teaches courses in finance, and statistics, and risk management. Dr. Kallman holds a doctoral degree and master’s of science degree in risk management and insurance from the University of Wisconsin, a bachelor of science degree from the University of Minnesota, and an Associate of Risk Management and RIMS Fellow degree. He is author or coauthor of numerous articles in diverse publications such as The Cor- porate Board magazine, CFO magazine, Risk Management magazine, Journal of Risk Management in Financial Institutions, and the Journal of Risk Education.


Specialized Aspects of Risk Management


Developing a Strategic Risk Plan for the Hope City Police Service ANDREW GRAHAM Adjunct Professor and National Editor, Case Studies, Institute of Public Administration of Canada, Queen’s University

Hope City is a midsize urbanized community, part of a larger conurbationand therefore part of larger and more complex forces. It is changing interms of demographics and the demands on policing. While there is no central crisis in this case, there are a number of disturbing trends that represent risks to the Police Service business model now in play and to the ability of the Police Service to meet the emerging needs of its community.

The Hope City case is one that forces integrative thinking about risk manage- ment. It is a holistic set of facts and information designed to lead to the creation of a strategic risk management plan for the Police Service of Hope City. It is centered on the qualitative and impressionistic assessment of risk, rather than the quantita- tive. Therefore, coming to an assessment of the risks in this circumstance and ren- dering them relative weights will entail some form of collective, consensus-driven or centrally driven exercise. Further, aside from being a good platform for the effec- tive assessment of risk and the assignment of weights, it is also useful when linked to the creation of a strategic or action plan for the Police Service as a whole. The case lends itself well to group work as well as written analysis.

THE CONTEXT Like most police services, the Hope City Police Service is a busy place. There is no end of activity. Chief Karl Paulson has been in the job for 10 months now and feels that he is getting a handle on the culture and way things are done around Hope City. He came in from another service. This is his first job as chief, although he has held both operational and planning roles at the deputy level elsewhere. He finds working in a growing community of 500,000 like this one interesting. However, at the end of the day, while he fits in fine, he still does not feel in control of things. Being a good police leader and being used to rapidly changing time and resource priorities, he can certainly fit into the “What’s next?” approach to management. He


322 Implementing Enterprise Risk Management

feels he and his organization are adept at responding and adapting to both opera- tional challenges and changing situations. But is that what it is all about? He is also seeing some changes happening that he is not sure the Police Service is ready for.

Hope City is indeed a growing and changing place. It is situated not far from a larger metropolitan area, one that gives a lot of employment to Hope City res- idents. In fact, about 20 percent of the Hope City working population commutes the 50 to 75 kilometers every day by way of the multilane highway that passes just west of town, the commuter rail link into downtown Benville, or the commuter bus systems. The others work in the large service sector or the many secondary manu- facturing plants on the west side of the city. There is also a community college with extensive programming that employs about 500 people. It really is a regional hub, one that Hope City residents are proud of. Right now, as this community grows and changes, there is a lot to be optimistic about for the future. On the other hand, the more the community changes, the more that future changes. Having been a small city with a homogeneous population and relatively isolated for a long time, it is now becoming part of the growing conurbation around Benville.

Taken at first blush, Hope City seems to be doing well. There is growth in residential and commercial construction as the result of an influx of new workers into the high-tech industries that are growing here. Many of these new workers are new Canadians, often well educated, some of whom come through family sponsor- ships. They have settled primarily in four communities in Hope City, often form- ing fairly close-knit communities. New services are arising to meet their needs, although schools, churches, and social organizations are at capacity.

Working with the notion that it is always best to get ahead of issues before they get ahead of you, Chief Paulson decided to pull together his top managers for a planning session and a bit of a look forward. He is allergic to flip charts, consul- tants, and detailed reports that do not get used. However, he wanted to not just be a good day-to-day chief, but to set the future direction of