Enterprise Risk Management (ERM) - A GRC Based Approach to Risk and Reward Management

MetricStream Solution Brief

Enterprise Risk Management (ERM)
A GRC Based Approach to Risk and Reward
Management

Governance, Risk, Compliance and Quality Management Solutions

Table of Contents

Preface 3

It’s a perilous time out there; the emergence of Enterprise
Risk Management (ERM) 4

New Guidance – Standard & Poor’s risks a ecting
shareholder value 5

Building the business case for ERM 8

MetricStream: GRC’s preeminence powers ERM across
industry silos 10

Preface
At MetricStream we challenge ourselves and our customers to adopt an approach to risk management that
enables us to utilize ERM in the broader context of Governance, Risk & Compliance (GRC) Management:
to mitigate risks and also revisit their business processes to capture value generating business opportunities.
Concepts and viewpoints herein build upon our experiences with our customers across industry in helping them
reengineer their business processes to bring about a change in how they view, mitigate and profit from business
risks.

This point is important enough to reiterate, however briefly, in this paper. But readers will note that the topic at
hand — recognizing ERM in the broader unified GRC environment — lends itself more to a focus on business
process reengineering for avoidance, rather than on risk-taking for reward. The narrower focus of this paper
shouldn’t obscure the bigger picture, of the effect of ERM as a central covenant to a unified and effective GRC
program.

Companies will make money by taking smart risks and lose money by failing to re-tool their legacy business
processes to assess and mitigate risk effectively.

The emergence of GRC based – Enterprise Risk
The emergence of GRC based – Enterprise Risk
Management (ERM)
Management (ERM)
Near Real Time Visibility to Threats and Opportunity
Near Real Time Visibility to Threats and Opportunity

We live in aaperilous world, as we speak the US Federal Reserve prepares to embrace for the current
We live in perilous world, as we speak the US Federal Reserve prepares to embrace for the current
economic environment without using the “R” word, and that RRword isn’t “risks” or proactive “risk
economic environment without using the “R” word, and that word isn’t “risks” or proactive “risk
management” It is reactive “Recession” From meltdowns in the mortgage industry, terrible weather and
management” It is reactive “Recession” From meltdowns in the mortgage industry, terrible weather and
.. ..
natural disasters in your global operations, lead paint in toys to corporate executives detailing your
natural disasters in your global operations, lead paint in toys to corporate executives detailing your
company’s financial performance on social blogosphere ––threats are everywhere. And so are opportunities,
company’s financial performance on social blogosphere threats are everywhere. And so are opportunities,
diverse, interconnected and complex such as disruptive innovation, new regulatory mandates and
diverse, interconnected and complex such as disruptive innovation, new regulatory mandates and
competitor missteps. As put by aaChief Risk Officer of aaglobal financial institution, “Risks create opportunity;
competitor missteps. As put by Chief Risk Officer of global financial institution, “Risks create opportunity;
opportunity in turn creates value; and that value ultimately creates shareholder wealth”
opportunity in turn creates value; and that value ultimately creates shareholder wealth”

Almost half of the 1000 largest global companies suffered declines in share prices of more than 20 percent
Almost half of the 1000 largest global companies suffered declines in share prices of more than 20 percent
in aaone-month period, relative to the Morgan Stanley Capital International (MSCI) World Index. By the end of
in one-month period, relative to the Morgan Stanley Capital International (MSCI) World Index. By the end of
2003, roughly one-quarter of these companies had still not recovered their lost market value. Another one-
2003, roughly one-quarter of these companies had still not recovered their lost market value. Another one-
quarter took more than aayear for their share prices to recover. With the emergence of unified Governance,
quarter took more than year for their share prices to recover. With the emergence of unified Governance,
Risk and Compliance (GRC) based ERM solution ––firms are no longer surrounded by reactive measures
Risk and Compliance (GRC) based ERM solution firms are no longer surrounded by reactive measures
that cause shareholder value to decline and cause aadecline in corporate goodwill and responsibility in
that cause shareholder value to decline and cause decline in corporate goodwill and responsibility in
the marketplace. An effective GRC program covers all tenants of effective strategic management ––ethical
the marketplace. An effective GRC program covers all tenants of effective strategic management ethical
corporate governance, where the CEO sets the tone for the business strategy and the Board is empowered
corporate governance, where the CEO sets the tone for the business strategy and the Board is empowered
by real-time visibility into operational details i.e. the realities - -of this vision’s material weakness. GRC covers
by real-time visibility into operational details i.e. the realities of this vision’s material weakness. GRC covers
risks that emanate from multi-regulatory and compliance management initiatives, that include dealing with
risks that emanate from multi-regulatory and compliance management initiatives, that include dealing with
SOX, SEC, PCAOB, ISO, FCPA, FDA, cGxP, FERC, NERC, COBIT, PRIVACY, IP, BASEII, AML, GREEN TECH, EH&S, 21
SOX, SEC, PCAOB, ISO, FCPA, FDA, cGxP, FERC, NERC, COBIT, PRIVACY, IP, BASEII, AML, GREEN TECH, EH&S, 21
CFR, FAA and so on. In the past, large or small firms each mandate had its own program, its own team and
CFR, FAA and so on. In the past, large or small firms each mandate had its own program, its own team and
its own tool, and hence businesses were playing catch-up. GRC intermediates the prevalence of this silo
its own tool, and hence businesses were playing catch-up. GRC intermediates the prevalence of this silo
approach by combining these silos
approach by combining these silos
into aasingle program that simply
into single program that simply Rare Events Can Devastate Value
Rare Events Can Devastate Value
enables the firm to be proactive in its
enables the firm to be proactive in its Impact of Recent Low-Probability Events on Value Losses
Impact of Recent Low-Probability Events on Value Losses
(Source: Deloitte ERM Value Killers© 2005)
(Source: Deloitte ERM Value Killers© 2005)
approach to dealing with these myriad
approach to dealing with these myriad
of complexities. However, GRC can
of complexities. However, GRC can
be effective only ififthe right priorities
be effective only the right priorities
are visible at the right time to the
are visible at the right time to the
right stakeholder. ERM is hence the
right stakeholder. ERM is hence the
central convent of aaunified approach
central convent of unified approach
to GRC. ERM is the means to prioritize
to GRC. ERM is the means to prioritize
and manage risks and opportunities
and manage risks and opportunities
across aafirm in aaway that it generates
across firm in way that it generates
greater business value. ERM pays for
greater business value. ERM pays for
itself by reducing financial losses,
itself by reducing financial losses,
improving business performance
improving business performance
and enhancing risk identification and
and enhancing risk identification and
assessment efforts.
assessment efforts.

44

New guidance from SP to identify risks
New guidance from SP to identify risks
affecting shareholder value
affecting shareholder value
“ eeERM Evaluation ultimately will be our opinion of
“ ERM Evaluation ultimately will be our opinion of
thethequalityof managementpractices”– SP
the quality ofofmanagement practices”SP
the qualityof management practices” – – SP
quality management practices” – SP
Our interest in codifying management analysis under the ERM heading coincides with increased interest by many companies to
Our interest in codifying management analysis under the ERM heading coincides with increased interest by many companies to
initiate their own ERM programs –- or other risk-management practices ---- to increase risk-adjusted returns, improve strategic
initiate their own ERM programs –- or other risk-management practices to increase risk-adjusted returns, improve strategic
judgment, and/or avoid extraordinary losses due to lawsuits, fines, operational failures, or negligence. The intersection of these in-
judgment, and/or avoid extraordinary losses due to lawsuits, fines, operational failures, or negligence. The intersection of these in-
terests isis in the expectation that a firm’s future ability to meet financial obligations in full and on time is more likely to be enhanced
terests in the expectation that a firm’s future ability to meet financial obligations in full and on time is more likely to be enhanced
by strong ERM or diminished by weak or nonexistent ERM. Our principal interest in evaluating ERM isis to implement steps that will
by strong ERM or diminished by weak or nonexistent ERM. Our principal interest in evaluating ERM to implement steps that will
limit the frequency and severity of losses that could potentially affect ratings.
limit the frequency and severity of losses that could potentially affect ratings.

Source: SP Initial Risk Enterprise Risk Management Analysis For Credit Ratings Of Nonﬁnancial Companies
Source: SP Initial Risk Enterprise Risk Management Analysis For Credit Ratings Of Nonﬁnancial Companies

SP’s guidance is primarily aimed at helping financial and non-financial services customers to have aa
SP’s guidance is primarily aimed at helping financial and non-financial services customers to have
management that values ERM to and has aa clear strategy to mitigate losses in shareholder value. They’ve
management that values ERM to and has clear strategy to mitigate losses in shareholder value. They’ve
introduced Enterprise Risk Management (ERM) analysis into the corporate credit ratings processes to
introduced Enterprise Risk Management (ERM) analysis into the corporate credit ratings processes to
provide guidance via means of aa structured framework to evaluate the company’s management as a
provide guidance via means of structured framework to evaluate the company’s management as a
principal component in determining the overall business profile –– they intend to take Enterprise Risk
principal component in determining the overall business profile they intend to take Enterprise Risk
Management (ERM) into their analysis of
Management (ERM) into their analysis of
business and its impact on corporate credit
business and its impact on corporate credit
ratings. This undertaking and will impact aa
ratings. This undertaking and will impact In 2005, Hurricane Katrina cost insurers more than $41 billion, the
In 2005, Hurricane Katrina cost insurers more than $41 billion, the
largest loss event ever for the industry. The magnitude of losses
largest loss event ever for the industry. The magnitude of losses
wide range of verticals namely: Manufacturing,
wide range of verticals namely: Manufacturing, eventually reported shocked many. In the wake of the disaster, ERM
eventually reported shocked many. In the wake of the disaster, ERM
Commodities, Utilities, Consumer, Healthcare,
Commodities, Utilities, Consumer, Healthcare, was aa differentiating element when we reviewed insurer credit ratings.
was differentiating element when we reviewed insurer credit ratings.
Technology, Media, Telecommunications and so
Technology, Media, Telecommunications and so Some insurers with weaker ERM had losses that were as much as
Some insurers with weaker ERM had losses that were as much as
twice what they previously reported as their “probable maximum loss”.
twice what they previously reported as their “probable maximum loss”.
on. SP’s wide reaching impact will see other
on. SP’s wide reaching impact will see other These insurers were unable to even estimate their losses several days
These insurers were unable to even estimate their losses several days
rating agencies use basic ERM frameworks in
rating agencies use basic ERM frameworks in after the event. On the other hand, insurers with stronger ERM could
after the event. On the other hand, insurers with stronger ERM could
their analysis of businesses. SP expects firms
their analysis of businesses. SP expects firms quickly estimate losses that were within 25% of actual claims. (Source:
quickly estimate losses that were within 25% of actual claims. (Source:
SP)
SP)
with superior ERM ratings to have less volatility
with superior ERM ratings to have less volatility
in earnings and cash flow, and will optimize the
in earnings and cash flow, and will optimize the
risk/return relationship. Furthermore they intend
risk/return relationship. Furthermore they intend Sample Risk Types
Sample Risk Types
to use these ratings to serve as industry wide risk
to use these ratings to serve as industry wide risk Environment Risks
Environment Risks Financial Risks Supply Risks Management Risks
Financial Risks Supply Risks Management Risks
management benchmarking.
management benchmarking. Business Continuity
Business Continuity Capital availability Commodity Prices Corporate Governance
Capital availability Commodity Prices Corporate Governance
Business Market Environment
Business Market Environment Credit/counterparty Supply Chain
Credit/counterparty Supply Chain Data Security
Data Security
SP deems financial services firms, due to the
SP deems financial services firms, due to the Environmental
Environmental Financial Market Risk
Financial Market Risk Employee health and Safety
Employee health and Safety
nature of their business, intrinsically riskier
nature of their business, intrinsically riskier Liability lawsuits
Liability lawsuits Inflation
Inflation Intellectual Property
Intellectual Property
than non-financial services organizations; and
than non-financial services organizations; and Natural Disasters/Weather
Natural Disasters/Weather Interest Rates
Interest Rates Labor Disputes
Labor Disputes
hence in contrast the ratings process for the
hence in contrast the ratings process for the Pandemic
Pandemic Liquidity
Liquidity Labor Skills shortage
Labor Skills shortage
non-financial services organizations would be
non-financial services organizations would be Physical damage
Physical damage MA/restructuring
MA/restructuring
aa verdict of the efficacy of the management
verdict of the efficacy of the management Political risk
Political risk Managing complexity
Managing complexity
to execute the vision of the company
to execute the vision of the company Regulatory/legislative
Regulatory/legislative Outsourcing problems
Outsourcing problems
and build shareholder value. The scoring
and build shareholder value. The scoring
methodology will have companies scored in
methodology will have companies scored in

55

four primary categories: weak, adequate, strong and excellent – the scoring weight would factor in the
relative significance of ERM in the vertical industry. Where companies rated ‘weak’ display low levels of ERM
maturity – complete absence of controls, in contrast with those rated ‘excellent’ are mature companies with a
comprehensive program of leadership, process, people and technology to manage risks.

Four major analytic components or “pillars” will
support SP’s ERM analysis; these factors are
broad, sector agnostic views into the risks faced
by the firm. These include:
Enterprise Risk Management
 Analysis of making routine corporate
decisions

Risk Management

Management
Risk Controls
Governance
 Analysis of risk controls

Culture

Emerging

Strategic
Risks

Risk
 Analysis of emerging risk preparation
 Analysis of strategic risk management
Company Operations
Risk management culture and governance
provides visibility of importance of “risk taking” Element Description
or lack of in routine decision making – within the Risk Management
Culture
Risk management central to daily decision-making (process)
Risk management culture
company’s corporate culture. SP will evaluate Governance Communication of risks inside and outside the organization (transparency)

a firm’s maturity by assessing its firm structure, Risk Controls Measure and monitor key risks
Maintain risk-control practices
roles and responsibilities to execute ERM. The
Emerging Risks Systematic process for identifying emerging risks
visibility that the top-management has to daily Strategic Risk Incorporate the ideas of risk, risk management, and return for risk into
execution issues with line management and the Management corporate strategic decision-making and planning processes

rendezvous that occurs to communicate and
collaborate on routine decision making are firm
indicators of a winning ERM strategy. A Conference Board report sponsored by Mercer Oliver Wyman which
studied US and European attitudes towards ERM found that the com-
Risk controls help organizations implement the panies that have already implemented ERM reported a “significantly”
higher level of value added than those without ERM programs. The
culture and governance, through identifying, biggest pluses were better informed decisions (86 per cent with ERM,
measuring, and on-going monitoring, reconciling 58 per cent for others), greater management consensus (83 per cent
risk, setting risk limits and arrive at the firm’s daily with ERM, 36 per cent for others) and increased accountability (79 per
cent with ERM, 34 per cent without). A better understanding of opera-
profile for managing risks in a distributed world. tional and strategic risks was also seen as a key benefit. Additional
SP intends to develop an exhaustive list of benefits reported were better strategic planning and a greater ability
controls across sector and firm – and depending to understand the risk/reward equation in decision making. The study
also revealed that the trend towards ERM is helping risk management
upon the relative weight of each control will gain greater acceptance throughout organizations. The highest priority
help painting a picture of the firm’s overall ERM objectives for survey respondents were ensuring risks are considered
efforts. in decision-making and avoiding surprises and predictable failures.

Emerging risk preparation – the black swan
effect author Nassim Nicholas Tasseb in a
recent book ventures out to talk about the black swan affect that can have on a firm’s long term survival.
These are the types of risks that are extremely rare adverse events and are impossible to manage in a
control environment. However some ERM best practices– can help a firm remain prepared for addressing
such scenarios coming to life. Preparedness includes environmental scanning, trend analysis, stress testing,
contingency planning, problem post-mortem, and risk transfer. A firm’s ability to prepare itself for the best or
the worst of – will factor in to its SP Risk profile.

6
3

Strategic Risk Management will help SP to arrive at a single classification of your firms ERM standing or
profile – this could be expressed in terms of earnings loss, Risk profile can be expressed in terms of earnings
loss, enterprise value, or other important financial metrics for various risks or for each firm business.

The essence of planning for the future as a progressive firm is changing. Infinite – risk/reward possibilities,
disparate and complex threats are in the face of today’s vibrant and interconnected global firm. Old adages
on risk – and reward are still worth their value in gold, however they now require several additional people,
process, organization and technology “upgrades” for firms to survive and thrive. ERM hence will provide the
leaders of the organization – a means to increase earnings – and shareholder value – whilst staying within
the well-defined and organizationally absorbed risk tolerance.

7
9

Building the Business Case for ERM
Building the Business Case for ERM
Improved Risk Awareness
Improved Risk Awareness
Application of the Enterprise Risk Management Framework, in conjunction with related risk management
Application of the Enterprise Risk Management Framework, in conjunction with related risk management
activities, augments aacultural shift to aarisk-smart workforce and environment in the organization, which
activities, augments cultural shift to risk-smart workforce and environment in the organization, which
ensures that the organization has the capacity and tools to be innovative while recognizing and respecting
ensures that the organization has the capacity and tools to be innovative while recognizing and respecting
the need to be prudent in protecting its interest. According to aaKPMG survey on ERM conducted in
the need to be prudent in protecting its interest. According to KPMG survey on ERM conducted in
2006, 76% of the enterprises quoted “improved awareness of risk and collaboration” as one of the
2006, 76% of the enterprises quoted “improved awareness of risk and collaboration” as one of the
major benefits. This is further upheld by former Federal Reserve Banker Susan Schmidt Bies, “Increased risk
major benefits. This is further upheld by former Federal Reserve Banker Susan Schmidt Bies, “Increased risk
awareness by staff throughout the enterprise is integral to managing risk successfully.”
awareness by staff throughout the enterprise is integral to managing risk successfully.”

Improved Organizational Efficiency
Improved Organizational Efficiency
The implementation of an ERM framework
The implementation of an ERM framework
brings with it improved efficiency across
brings with it improved efficiency across Improved risk awareness and
Improved risk awareness and
collaboration
collaboration 76%
76%
the entire value chain - -providing top-down
the entire value chain providing top-down Improved regulatory compliance
Improved regulatory compliance 53%
53%
coordination necessary to make various
coordination necessary to make various Improved operations
Improved operations 50%
50%
functions of an organization work efficiently. An
functions of an organization work efficiently. An Improved decision-making
Improved decision-making 48%
48%
integrated team not only better addresses the
integrated team not only better addresses the Reduced infrastructure, operating, oror
Reduced infrastructure, operating, 29%
29%
resources costs
resources costs
individual risks facing the company but also the
individual risks facing the company but also the
Improved earnings oror shareholder value
Improved earnings shareholder value 24%
24%
interdependencies between these risks.
interdependencies between these risks. Reduced earnings volatility due toto
Reduced earnings volatility due
hedging
hedging 21%
21%

Improved equity value oror reduced debt
Improved equity value reduced debt
Enhanced Shareholder Value
Enhanced Shareholder Value costs
costs
20%
20%
Multiple responses provided
Multiple responses provided

A strategic ERM framework brings with direct
A strategic ERM framework brings with direct No/little change
No/little change 8%
8%

impacts to the overall profitability of aafirm. The
impacts to the overall profitability of firm. The Other
Other 4%
4%

February, 2008’s Treasury Risk Magazine cover
February, 2008’s Treasury Risk Magazine cover 0%
0% 20%
20% 40%
40% 60%
60% 80%
80% 100%
100%

story, Audit Busters, reports the business case
story, Audit Busters, reports the business case Percentage ofof Respondents
Percentage Respondents

for the CRO partnering with the CFO at large
for the CRO partnering with the CFO at large
corporation resulting in the transformation
corporation resulting in the transformation Figure 1: KPMG Survey on Assessing ERMs Benefits4 4
Figure 1: KPMG Survey on Assessing ERMs Benefits
of their compliance programs to serve their
of their compliance programs to serve their
business strategy while reducing their external
business strategy while reducing their external
audit hours by 60% at the same time. “Costs can vary” the CRO says. “Despite the fact that Risk management
audit hours by 60% at the same time. “Costs can vary” the CRO says. “Despite the fact that Risk management
,,
software could cost you anywhere from $25,000 to $250,000, depending on the size of the company and the
software could cost you anywhere from $25,000 to $250,000, depending on the size of the company and the
complexity of the operation, it’s not expensive. The payoff is enormous, because you’re not just saving on auditors’
complexity of the operation, it’s not expensive. The payoff is enormous, because you’re not just saving on auditors’
fees. You’re also saving on internal costs, enhancing your credibility, and streamlining risk management across the
fees. You’re also saving on internal costs, enhancing your credibility, and streamlining risk management across the
entire organization. ItItultimately pays for itself.”
entire organization. ultimately pays for itself.”

Risk Exposures Clearly Mapped
Risk Exposures Clearly Mapped
ERM enables an organization to identify measure, monitor, and control its inherent risk exposures of the
ERM enables an organization to identify measure, monitor, and control its inherent risk exposures of the
business at all levels. Elements like Risk Assessment, Event Management, and Key Risk Indicator play an
business at all levels. Elements like Risk Assessment, Event Management, and Key Risk Indicator play an
important role; enabling the organization to evaluate the risk controls, based on the identified inherent risk,
important role; enabling the organization to evaluate the risk controls, based on the identified inherent risk,
and to measure the residual risk which remains after the implementation of controls.
and to measure the residual risk which remains after the implementation of controls.

Roles and responsibilities re-defined
Roles and responsibilities re-defined
Clearly defined roles and responsibilities within the firms risk profile not only streamlines the risk
Clearly defined roles and responsibilities within the firms risk profile not only streamlines the risk
management process, but also allows risk managers to incorporate accountability into the work culture of
management process, but also allows risk managers to incorporate accountability into the work culture of
the organiation.
the organiation.

88

Enhance Corporate Social Responsibility
(CSR) Factor
According to the economist intelligence unit
A Business Case for Enterprise Risk Management (ERM)
survey 2007, the most important outcomes of
effective risk management is that it helps in Qualitative Quantitative
“protecting and enhancing the reputation of Lower incidence of loss events Increase management consensus on risks

the organization” (50 percent). In addition, 41
Risk threshold helps identify opportunities React faster and earlier to loss events
percent say ERM helps in ensuring regulatory
compliance and effective capital and resources Tightly manage customer credit Increase company credit rating (SP)

allocation. Respondents also highlighted “loss Larger number of risk factors active monitoring Become a risk-management first mover
avoidance”38%, increasing shareholder value”
Reduced cost of risk management activities Build overall shareholder value
32% and “reduced earnings volatility” 26% as
some of the other benefits. Quantify market risks Build predictability of company performance

A unified GRC approach induces a high ROI for your ERM program
ERM – creating sustainable value
A majority of the respondents in the AON
survey on ERM 2007 had companies relaying
that their ERM functions produces clearly
identifiable outcomes and benefits. They
bring about organizational sustainability and
competitive advantages; an enhanced sense
of corporate goals and objectives, talent
management, significant reductions of exposure What does your organization consider to be the most
and losses. Identifying principal benefits of important objectives and benefits of risk management?
ERM, 92% of the respondents say that ERM
Select up to three responses
helps in demonstrating compliance, 69% say it (% respondents )
enhances behavior and improves organizational
Protecting and enhancing the reputation of the organization
performance and efficiency 54% say it helps
in reducing cost of risk and secures growth Ensuring regulatory compliance
opportunity under optimized condition.
Ensuring efficient capital and resources allocation

Executives of most companies and other Loss avoidance
entities have developed processes to identify
Increasing shareholder value
and manage risk across the enterprise, and
many others have begun development or are Reducing earnings volatility
considering doing so. Recognizing the need
Maximizing profitability of business units
for definitive guidance on enterprise risk
management, the Committee of Sponsoring Safety of employees and customers
Organizations of the Treadway Commission
Clear reporting and disclosure to investors
(COSO) and RIMS have developed conceptually
sound frameworks providing integrated Other
principles, and practical implementation
guidance supporting the firms programs to 0 10 20 30 40 50
develop or benchmark their enterprise risk
The Economist Intelligence Unit 2007
management processes. Each describes an
approach for identifying, analyzing, responding Figure 2: KPMG’s Survey6
to, and monitoring risks or opportunities, within
the internal and external environment facing the
enterprise.
9

MetricStream: GRC’s preeminence powers ERM
MetricStream: GRC’s preeminence powers ERM
across industry silos
across industry silos
MetricStream recently released
MetricStream recently released
aaversion 2.0 of the “Enterprise
version 2.0 of the “Enterprise
Compliance Map©” ––through this
Compliance Map©” through this
map (which is only available as aa
map (which is only available as Enterprise Compliance
folded road-map style hardcopy)
folded road-map style hardcopy) Map©
we intend to portray ERM as the
we intend to portray ERM as the
central covenant in aacompany’s
central covenant in company’s
GRC program.
GRC program.
Our ERM solution is based on
Our ERM solution is based on
thought leadership best-
thought leadership best-
practices experiences work, where
practices experiences work, where
we’ve worked hand-in-hand with
we’ve worked hand-in-hand with
our customers to bring to bear
our customers to bring to bear
some of the best practices that
some of the best practices that
companies exhibit when it comes to
companies exhibit when it comes to
managing ERM. This knowledge is
managing ERM. This knowledge is
represented in our vertical specific
represented in our vertical specific
ERM solutions that power the GRC
ERM solutions that power the GRC
programs for several fortune 500
programs for several fortune 500 Risk Pyramid
companies.
companies.
methodology and tools empower MetricStream ERM Pyramid©
methodology and tools empower
the organization through careful
the organization through careful Identification of Future
structuring of risk assessment and
structuring of risk assessment and
Threats

by automating compliance efforts.
by automating compliance efforts. Ongoing Monitoring of Internal
and External Risks
Regulatory Compliance
Regulatory Compliance
Management
Management Periodic Assessment of
Risk
The MetricStream solution
The MetricStream solution
provides aacommon framework
provides common framework Implementation of Business
Financial Controls to
and an integrated approach to
and an integrated approach to Mitigate Risk
manage cross-industry mandates
manage cross-industry mandates Attestation That
and regulations such as SOX,
and regulations such as SOX, Management Has Financial
OSHA, EHS and FCPA as well as
OSHA, EHS and FCPA as well as
Controls in Place

the industry focused regulatory
the industry focused regulatory
guidelines from AML, BASELII, FERC,
guidelines from AML, BASELII, FERC,
NERC and Data Management laws.
NERC and Data Management laws.
2
MetricStr
Governance, Risk, Compliance Quality Man

10

Streamlined Risk Methodology
The MetricStream solution ensures that aaformalprocedure for analyzing and managing enterprise risk isis
The MetricStream solution ensures that aformal procedure for analyzing and managing enterprise risk is
The MetricStream solution ensures that formal procedure for analyzing and managing enterprise risk
implemented and followed. ItItidentifiesand documents potential threats and vulnerabilities, quantifies total
implemented and followed. Itidentifies and documents potential threats and vulnerabilities, quantifies total
implemented and followed. identifies and documents potential threats and vulnerabilities, quantifies total
cost of risk and compliance and drives the creation of business processes and controls. Its flexible scheduling
tool allows the enterprise to assess, test and document controls. Prioritizing response strategies for optimal
risk/reward outcomes isisalsoeasier to perform. The solution quantifies market risk for portfolios and ensures
risk/reward outcomes isalso easier to perform. The solution quantifies market risk for portfolios and ensures
risk/reward outcomes also easier to perform. The solution quantifies market risk for portfolios and ensures
that the right risk methodology isisfollowed.
that the right risk methodology isfollowed.
that the right risk methodology followed.

Increased Protection
Organizations must adopt aastrategicapproach to risk management in order to ensure maximum protection
Organizations must adopt astrategic approach to risk management in order to ensure maximum protection
Organizations must adopt strategic approach to risk management in order to ensure maximum protection
from attacks. Process vulnerability and risk exposures are fully mapped by MetricStream and threats to the
most critical assets are prioritized to set the right protection strategy for the organization. The underlying
workflow and collaboration engine of MetricStream’s solution determines the potential impact of threat
occurrence and the existing level of risk to develop and implement aasuitablecorporate risk management
occurrence and the existing level of risk to develop and implement asuitable corporate risk management
occurrence and the existing level of risk to develop and implement suitable corporate risk management
and mitigation plan.

Efficient Controls
Efficient Controls
Efficient Controls
The MetricStream solution enables process owners to take direct responsibility for managing controls
while auditors can focus on key compliance risks and project oversight. To eliminate risks from deviations
in procedures, errors and redundant activities, compliance and controls can be made consistent across the
enterprise using the centralized framework. ItItalsohelps avoid the danger of stringent and varied sanctions
enterprise using the centralized framework. Italso helps avoid the danger of stringent and varied sanctions
enterprise using the centralized framework. also helps avoid the danger of stringent and varied sanctions
by encouraging employees across the enterprise to contribute information that pertains to reducing
exposure to risk and improving safety, productivity and quality.

Cost Reduction
Cost Reduction
Cost Reduction
Automated information flows, assessments and testing, remediation assignments and time stamped audit
trails reduce overall compliance and risk management costs. The solution helps avoid increased write-offs,
losses and rising cost overlays while creating investment opportunities and improving performance.

Web-based Reporting and Role-based
Dashboards ––Riskheat maps, graphical charts
Dashboards –Risk heat maps, graphical charts
Dashboards Risk heat maps, graphical charts
and compliance dashboards provide increased
ERM Business Process
enterprise-wide transparency into the
enterprise-wide transparency into the
enterprise-wide transparency into the Reconcile
Initial Risk
compliance process and highlight issues that
compliance process and highlight issues that
compliance process and highlight issues that C-level Set-up Risk
Libraries
Scoring Using
Comments and
Present to
Take Action
views Risk Calculator
need to be addressed. Continuous reporting
need to be addressed. Continuous reporting
need to be addressed. Continuous reporting Senior Mgmt.

and benchmarking of implemented procedures
using control diagrams and scorecards
using control diagrams and scorecards
using control diagrams and scorecards Business
B i Review Scoring
and Enter
Unit Heads
ensures that risks are identified and resolved
ensures that risks are identified and resolved
ensures that risks are identified and resolved Exceptions

in real-time. Detailed and relevant risk data isis
in real-time. Detailed and relevant risk data is
in real-time. Detailed and relevant risk data
automatically compiled by the MetricStream
automatically compiled by the MetricStream
automatically compiled by the MetricStream Senior Line Review Scoring
and Enter
Approve Risk
Management Analysis
solution and drives internal audit, regulatory
solution and drives internal audit, regulatory
solution and drives internal audit, regulatory Exceptions

and financial compliance processes (e.g., FERC,
NERC, SOX). Quarterly and monthly trending
analysis, detailed reports and elaborative
dashboards provide aabird’seye view of the
dashboards provide abird’s eye view of the
dashboards provide bird’s eye view of the
risk scenario. Automated alerts help the risk
managers foresee future challenges and
manage risks better.

11
11
11
11

Integrated Document Management System – MetricStream’s integrated document management
system with change control capabilities synchronizes compliance documentation and business processes,
ensuring availability of data across the enterprise. When fully integrated with a company’s daily compliance
management activities, accurate tracking of risks and compliance efforts helps the company easily and
effectively grow its business and strengthen its operations.

Structured Process for Sharing Confidential Information – MetricStream’s centralized document control
system coupled with its rigorous data mapping process enables real time sharing of sensitive data among
key stakeholders and support NERC CIP data loss prevention.

Closed-loop Issues Management – The MetricStream solution provides a robust issue and remediation
management platform that enables companies to establish and follow mandates for managing
nonconformance, adverse events, exceptions, failures, and processi deviations. It is a comprehensive solution
that enables companies to streamline the development and implementation of remediation and corrective
action plans processes across the enterprise. It provides end-to-end exception and change management
capabilities to help companies capture problem data from anywhere in their operation, conduct
investigation to determine the root cause, manage the entire preventive and corrective process, implement
changes, and ensure that the issue is resolved effectively. Powerful analytics and reporting capability with
graphical dashboards to track each case from initiation to closure, gives managers complete real-time
visibility into the remediation process.

12
12

Conclusion
Many of the world’s largest companies struggle with an ever changing risk profile in today’s dynamic and
disparate world. There have been hence tremendous losses in shareholder value over the recent year and
the last decade. Many of these losses occurred due to failures in recognizing and managing diverse risks.
Today, GRC based Enterprise Risk Management is a critical CEO and board agenda as regulatory authorities,
government quasi-government regulatory agencies and credit rating agencies view a company’s ERM
practices an leading indicator of management ability to execute on the vision. To preserve value, companies
need to go beyond managing risk management in silos to create an integrated, organization-wide GRC
management function. Firms adopting such a comprehensive approach to GRC and ERM will have access
to systems that would help them define an overall risk appetite and weigh critical interdependencies
among different types of risks. Finally, ERM is as much about people and organizations as it’s about business
processes and information systems that are needed that are needed for real-time reports to apprise senior
management and the board of directors of primary risks and opportunities. Leveraging ERM to implement
a more comprehensive GRC based approach to their control environment will render the organization to be
better placed to maximize shareholder value.

References:
 ERM still out of reach for many: By Stuart Fagg
http://www.riskmanagementmagazine.com.au/articles/17/0c035617.asp
 Excellence in Risk Management IV - An Annual Survey of Risk - The 360° View of Risk
http://searchdatamanagement.techtarget.com/news/article/0,289142,sid91_gci1308910,00.html
 Enterprise Risk Management in the United States A 2006 Report Card
http://www.taxgovernanceinstitute.com/documents/TGI/3132007203018kpmg082560.pdf
 ENTERPRISE RISK MANAGEMENT SURVEY, 2006
http://www.rmahq.org/NR/rdonlyres/B9281EB1-8961-4C5A-B211-C0927C870451/0/ERMDistribute2Public.
pdf
 Best practice in risk management A function comes of age
http://www.kpmg.com.au/Portals/0/eiu_Risk_Management.pdf
 Enterprise Risk Management - The full picture by AON

13
13

About MetricStream
MetricStream is the leading provider of solutions for Gov-
ernance, Risk, Compliance (GRC) and Quality Management. MetricStream, Inc.
Organizations today need a systematic approach to defin- 3000 Bridge Parkway
ing and managing GRC initiatives and quality management Redwood Shores CA 94065
programs through a sustainable and integrated process that Phone: 650-620-2900
is aligned with the corporate strategy instead of a series of Fax: 650-632-1953
unrelated tactical projects. MetricStream has enabled lead- info@metricstream.com
ing corporations in diverse industries to make the shift from Copyrights © 2008. MetricStream. All rights reserved
isolated compliance initiatives and departmental silos of risk-
related information to integrated enterprise-wide strategy for
GRC and quality management.
For More Information
about MetricStream GRC and Quality
Management Solutions
please visit www.metricstream.com

1

Enterprise Risk Management (ERM) - A GRC Based Approach to Risk and Reward Management

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (12)

Mehr von Enterprise Technology Management (ETM)

Mehr von Enterprise Technology Management (ETM) (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Enterprise Risk Management (ERM) - A GRC Based Approach to Risk and Reward Management