Integrating Enterprise Risk Management (ERM) with Organizational Strategy
1. Enterprise Risk
Integrating
Enterprise Risk Management
with Organizational Strategy
Arielle Morris/shutterstock
••An ERM program must align with
corporate strategy to give the organization
a complete and comprehensive approach
to managing risk.
by Henry KillacKey
Once regarded as unsinkable, the RMS Titanic nonetheless collided with an iceberg on
April 14, 1912, and sank to the bottom of the frigid Atlantic in less than three hours.
More than 1,500 passengers died.
32 May 2009 The RMA Journal
2. The builders and crew of the vessel had praised its ad- holder value by managing the uncertainties that could
vanced technology and numerous safety features, believing influence achieving the organization’s objectives.”3 By this
it could withstand any threat from nature. Their overcon- stated purpose, ERM ini-
fidence became evident when the ship’s poor design has- tiatives are not intended If ERM can be understood
tened its demise and a shortage of lifeboats led to many to eliminate risk, but to
unnecessary deaths. Had the crew and builders properly manage risk for the sake
as a process that guides the
accounted for all potential risks, the ship and its passengers of achieving organization- achievement of objectives,
might have avoided disaster. al objectives. it can be integrated into
In recent years, many financial executives developed But while many tradi-
the same kind of unwarranted confidence in their enter- tional or outdated defini- the strategic actions of
prise risk management (ERM) programs. Institutions such tions of enterprise risk the organization.
as Lehman Brothers and AIG implemented ERM programs describe risk in a negative
to protect their assets and prevent their organizations from light, Thomas Stewart says risk should not be eliminated:
collapsing. Yet changing business conditions and mis- “Risk—let’s get this straight up front—is good. The point of
guided moves by internal players created risks that nei- risk management isn’t to eliminate it; that would eliminate
ther organization anticipated. Their ERM programs failed reward. The point is to manage it—that is, choose where
to protect them from risks that led to disaster. to place bets, and where to avoid betting altogether.”4
Despite the experiences of Lehman Brothers and AIG, In short, risk has to be managed for the organization
enterprise risk management can be a valuable tool in pro- to seize new opportunities, avoid potential losses, and
tecting your organization. The key is to align your ERM execute strategy.
program and your corporate strategy to give your organi-
zation a complete and comprehensive approach to manag- Clarifying Strategy and Organizational Objectives
ing all types of risk. Organizational strategy is the intended course of action re-
quired to achieve goals or objectives, and it must be execut-
Defining ERM ed to achieve the desired end result. The COSO definition
The current financial crisis and global economic reces- of ERM gives it a strategic purpose. But in order to make
sion offer a vivid reminder to the risk management com- ERM a part of the strategy, that strategy must be clarified
munity that changes in business conditions can happen and understood by the organization.
quickly. Driving these changes are globalization, technol- Unfortunately, strategy rarely gets the attention it de-
ogy advances, compliance with new regulations, emerg- serves, despite the important role it plays in an organi-
ing markets, competition, geopolitical threats, and natural zation’s performance. This has resulted in the failure to
hazards, among other risk events. Rapid and significant execute strategy by nine out of 10 organizations, accord-
change increases an organization’s exposure to loss, mak- ing to the Balanced Scorecard Collaborative. The firm has
ing a comprehensive ERM program necessary. identified four barriers to executing strategy, as shown in
For many publicly traded companies, ERM has emerged Figure 1.
as a value-added contribution to Sarbanes-Oxley (SOX) If ERM can be understood as a process that guides the
compliance and audit efforts.1 According to a survey re- achievement of objectives, it can be integrated into the
ported in Business Finance Magazine, 76% of respondents strategic actions of the organization. Accordingly, it is im-
indicated they either intended to expand SOX compliance portant that a broad strategy be broken down to opera-
into ERM, or were already in the process of doing so.2 tional terms that employees, managers, and other internal
Widely accepted definitions of ERM emphasize that it stakeholders can understand. An understanding of strat-
needs to be a part of the organization’s DNA. For instance, egy can help foster buy-in and inspire action.
as defined by COSO in 2004, ERM is “effected by an enti- The integration of ERM and strategy begins with the
ty’s board of directors, management and other personnel.” Balanced Scorecard (BSC). Developed by Robert Kaplan
It is “applied in strategy setting across the enterprise” and and David Norton, the BSC is a management and com-
“designed to identify potential events that may affect the munication tool that articulates strategy and the organiza-
entity, and manage risks to be within its risk appetite to tion’s progress in executing it across four perspectives:
provide reasonable assurance regarding the achievement 1. Financial: How do shareholders view the organization?
of entity objectives.” 2. Customer: How do customers view the organization’s
The COSO definition describes ERM as guiding the product, brand, and image?
achievement of organizational goals and objectives. Ac- 3. Internal Process: At which processes must the or-
cording to Barton, Shenkir, and Walker, the purpose of ganization excel in order to satisfy customers and
ERM initiatives is to “create, protect, and enhance share- shareholders?
The RMA Journal May 2009 33
3. Figure 1 the success of internal processes. An educated and well-
trained workforce can execute more sophisticated pro-
Four Barriers to Executing Strategy cesses, which in turn improves organizational efficiency
and directly influences the customer’s perspective. Im-
proved efficiency from better processes can increase cus-
Vision Barrier
tomer satisfaction and loyalty. Finally, improved custom-
er satisfaction and loyalty can result in larger sustainable
Only 5% of work- revenue streams for the organization, which translates
force understands into greater financial performance, directly impacting
the strategy.
shareholder satisfaction.
Identifying and Measuring Risk
When a strategy is broken down to operational or under-
People Barrier
standable terms, the organization can begin work on identi-
fying specific risks that threaten organizational performance.
Only 25% of
managers have The following are some typical ways to identify risks.
incentives linked to
the strategy. Internal investigation: An organization can examine
Nine out of 10 itself to find risks and their impacts. Methods for inves-
organizations fail tigation include brainstorming sessions among business
to execute their
Management strategy. unit managers, SWOT analysis, surveys, and interviews.
Barrier Looking internally enables the organization to gather in-
85% of executive
formation from the employees and managers who work to
teams spend less prevent risks from adversely affecting business units.
than one hour per
month discussing External sources: An organization can gain valuable
long-term strategy. information about its risks by relying on external sources.
This effort can include conversations with risk consultants
Resources and discussions with subject matter experts outside of the
Barrier organization. Benchmarking is another external source.
60% of
Benchmarking involves researching best practices in the
organizations do industry and comparing the organization’s risk manage-
not link strategy to ment efforts to those practices.5 The information gathered
budgets. from these sources can help an organization refine its
course of action for managing risk.
Source: Balanced Scorecard Collaborative newsletter. Tools: Risks can be identified by dissecting business
processes. Tools such as Six Sigma, Pareto analysis, and
4. Learning and Growth: Which human capital assets Ishikawa diagrams can provide insight into the controls
must the organization develop or draw from in order to and gaps within business processes.6
execute value-creating processes? Once a risk has been identified, it can be classified. Is
A complete BSC contains measures, targets, and ini- it a hazard risk, a strategic risk, a legal risk, or some other
tiatives within each of the four perspectives that link to type of risk? Classification also includes determining the
strategy. All of these elements are derived from a strategy likelihood of a risk event occurring.7
map, a diagram reflecting the cause-and-effect relation- The following qualitative methods are often used for
ships among the strategic objectives of the four perspec- classifying risks:
tives. Learning/growth and internal process are regarded • Risk “heat maps” that depict the impact and likelihood
as input perspectives because they drive results within the of risk events.
customer and financial perspectives (also known as out- • Risk rankings.
come perspectives). • Identification of risk correlations.
At the core of the strategy map is learning and growth. Once a risk has been classified, it can be measured for
Employee growth and development is a catalyst for or- severity. Indeed, quantifying risk is necessary in order
ganizational performance and has a direct influence on to understand the size of its impact. Many organizations
34 May 2009 The RMA Journal
4. Figure 2
Risk “Heat Map” Template for Classifying Risk
Probability of Occurrence
High Yellow Red Red
Emerging Risk High Impact Risk High Impact Risk
Green Yellow Red
Controlled Risk / Poses Limited Threat Deserves Monitoring Requires Attention
Green Green Yellow
Controlled Risk / Poses Limited Threat Controlled Risk / Poses Limited Threat Has Potential to Become Severe
Low
Magnitude of Risk High
*Some companies will use more or fewer cells in a heat map, depending upon their risk portfolio or their desired level of detail.
need this information to perform tasks such as purchasing Figure 3
insurance or determining economic capital.
The following quantitative methods are often used for Strategic Linkage of the Four Perspectives
measuring risks: of the Balanced Scorecard
• ornado chart (a bar chart that compares multiple sets
T
of risk data). Organizational Vision / Mission
• Gain/loss chart (a chart that determines the valuation of Strategic objectives are placed within
an asset). the four perspectives of the BSC.
• Cash flow at risk (a method that determines how chang- Financial
es in risk factors affect an organization’s cash flow). To succeed financially, how must
we appear to shareholders?
Monitoring Customer
Effective ERM requires monitoring and reporting on the
To achieve our vision,
performance of risk management processes. It is a con- how should we appear to our customers?
tinuous and collaborative effort that should involve the Internal Business Processes
input and cooperation of stakeholders such as the C-level
To satisfy our shareholders and customers,
executives, the audit committee, and the board of direc- what business processes must we excel at?
tors. This collaboration is essential to ensure that ERM
Learning and Growth (strategic enablers)
enhances organizational confidence in making decisions
and executing strategy. Which key assets must we draw
to execute our value-creating process?
It is vitally important, however, to remember the COSO
definition of ERM and its clear link with strategy: a pro- mitigating operational risks or the risks that affect a spe-
cess “applied in strategy setting across the enterprise.” cific business unit. ERM requires the assessment and man-
ERM and the BSC can be integrated because of the agement of the entire portfolio of risks that can impact
organization-wide view that each requires from users. any internal process, employee, customer perspective, or
To be effective, the BSC has to provide a balanced view financial result.8
of the organization to drive strategy execution and busi- Strategic objectives for risk management can be built
ness performance across the enterprise. The BSC requires into the internal process perspective of the organization-
input and feedback from entities inside and outside the al strategy map, in which processes are segregated into
organization. It does not rely solely on the viewpoints of four categories: operations management, customer man-
shareholders or the financial returns of the enterprise, but agement, innovation, and regulatory/social. Risks can be
on the perspectives of customers, employees, and other managed within each of these categories. In operations
internal stakeholders. Meanwhile, ERM is not just about management, risks can affect supplies, logistics, and
The RMA Journal May 2009 35
5. Figure 4
Example of a Strategy Map
Main Street Financial Corporation Strategy Map for a Fictitious Bank
Purpose: Maximize the long term total
return to our shareholders F1–Long Term Growth with
Top Tier Earnings
Financial
Become a Top Performing Sales Organization
F3–Maintain a High Level F5–Strategically
F2–Increase Revenues F4–Manage Expenses
of Risk Management Invest/Divest
Acquire and Retain Customers
Customers
C1–Provide Financial C2–Deliver Quality Service
Solutions for Life
I2–Use the Preferred Way 13–Profitably Deliver
of Selling Consistent Service
Internal Processes
I1–Expand and Enhance
Offerings
Optimize Business Effectiveness
I4–Proactively Manage I5–Continually Improve
Resource Allocation our Business Processes
Employees are our #1 Asset
E2–We Will Develop E3–We Will Have
E1–We will be the E4–We Will Recognize and
Learning
the Leadership Expertise Employees Who Volunteer
preferred Employer Reward Outstanding Results
to Succeed in our Communities
production (traditionally for nonfinancial industries). In supervising new employees. Also, there are risks in not
managing customers, there are risks involved in selecting having an effective succession plan for the future health
and acquiring custom- of the organization. ERM-related strategic objectives can
ERM applied in the ers. There are innovation be built into this perspective to mitigate the chance and
internal process risks in developing new impact of these risks. Objectives created for such risks can
products and introducing communicate the importance of ERM to human resources
perspective can ensure them to the marketplace. and organizational development professionals who work
product quality Also, damage can be within the enterprise.
done to an organization’s By applying ERM to the input perspectives, positive
that strengthens the reputation when there is results can emerge in the customer and financial perspec-
organizational brand a failure to comply with tives. Driving ERM in the learning/growth and internal
image to the customer. regulations. Strategic ob- process perspectives can lead to greater cost controls and,
jectives related to ERM as a result, reasonable prices for customers. ERM applied
can be linked into each of these process categories to en- in the internal process perspective can ensure product
sure alignment across the perspective and achieve broad quality that strengthens the organizational brand image to
impact. the customer. In every benefit that comes to customers
There are also risks in the learning and growth per- through integrating ERM in the input perspectives, there
spective on which ERM-related strategic objectives can is the greater opportunity that can come by ensuring cus-
be built. There are risks behind selecting potential new tomer loyalty and acquiring new customers, which can
employees. There is the risk of improperly training and drive financial results for shareholders.
34 May 2009 The RMA Journal
6. The BSC can effectively align ERM efforts with strategy Notes
while communicating the relevance of risk management 1. Killackey, Henry. “The Balanced Approach to Managing
to individuals and business units. By including in the or- Risk—Integrating the Balanced Scorecard with Enterprise Risk
Management.” Information Management Magazine, February 1,
ganizational strategy map nine- or 10-word strategic ob- 2008. Available at http://www.information-management.com/
jectives that communicate the mitigation of specific risks, issues/2007_44/10000635-1.html.
individuals can understand how risk management aligns
2. “How Compliance Became an ERM Trigger.” Business Finance Mag-
with their jobs. azine, September 11, 2007. Available at http://businessfinancemag.
com/article/how-compliance-became-erm-trigger-0911.
Conclusion
3. Barton, Thomas, William Shenkir, and Paul Walker. Making En-
Once it is integrated into strategy, ERM can spread terprise Risk Management Pay Off: How Leading Companies Implement
throughout the entire organization. This integration re- Risk Management. Upper Saddle River: Financial Times/Prentice
quires cooperation among executives, managers, and Hall, 2003, p.5.
employees. It also requires an organizational commitment 4. Op. cit., p. 1.
to identify risk across business units and to thoroughly
assess and measure risk. With the help of the Balanced 5. Pyzdek, Thomas. The Six Sigma Handbook: A Complete Guide
for Green Belts, Black Belts, and Managers at All Levels. New York:
Scorecard, an organization can articulate its strategy and McGraw-Hill, 2003, p. 91.
ERM programs while alleviating the challenges of execut-
ing the strategy. v 6. Schaefer, John. “Practical Approaches to ERM.” Presented at the
Enterprise Risk World conference, Houston, November 28, 2006.
•• 7. Killackey, Henry. “Building the Quality-Centered Enterprise Risk
Henry Killackey, a certified Six Sigma Green Belt, is the educational services Program.” The RMA Journal, May 1, 2007.
manager and a founding member of the Global Institute for Management (www. 8. Killackey, Henry. “The Balanced Approach to Managing Risk—Inte-
gimanagement.com), an educational services provider that facilitates workshops and grating the Balanced Scorecard with Enterprise Risk Management.”
training sessions covering issues in performance management and risk management.
Contact him by e-mail at henry.killackey@gimanagement.com. Write to editor@rmahq.org.
The RMA Journal May 2009 35