ERM Week 2

 Your medical group wants to expand by starting a new venture, owning and operating a pharmacy. In order to increase the chances for success, you have been asked to perform an enterprise risk assessment that includes reputational risk. Give three examples of how starting a new venture might have risk events that could lead to repercussions that would negatively impact the organization’s reputation and three examples where it might be enhanced, creating opportunity. Please be descriptive.
MUST BE APA ONLY PLEASE!!!
MUST BE APA ONLY PLEASE!!!
MUST BE APA ONLY PLEASE!!!

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Additional Praise for
Implementing Enterprise Risk Management
“Educators the world over seeking to make the management of risk an integral part
of management degrees have had great difficulties in providing their students with
a definitive ERM text for their course. The Standards and associated Handbooks
helped, but until the arrival of Implementing Enterprise Risk Management: Case Stud-
ies and Best Practices, there has been no text to enlighten students on the application
of an effective program to manage risk across an enterprise so that objectives are
maximized and threats minimized. Fraser, Simkins, and Narvaez have combined
with a group of contributors that represent the cream of risk practitioners, to pro-
vide the reader with a clear and concise journey through the management of risk
within a wide range of organizations and industries. The knowledge, skills, and
experience in the management of risk contained within the covers of this book are
second to none. It will provide a much needed resource to students and practition-
ers for many years to come and should become a well-used reference on the desk
of every manager of risk.”
—Kevin W. Knight AM, chairman, ISO/TC 262—Risk Management
“The authors—Fraser, Simkins, and Narvaez—have done an invaluable service to
advance the science of enterprise risk management by collecting an extensive num-
ber of wonderful case studies that describe innovative risk management practices
in a diverse set of companies around the world. This book should be an extremely
valuable source of knowledge for anyone interested in the emerging and evolving
field of risk management.”
—Robert S. Kaplan, senior fellow, Marvin Bower Professor of Leadership
Development, emeritus, Harvard University
“Lessons learned from case studies and best practices represent an efficient way
to gain practical insights on the implementation of ERM. Implementing Enterprise
Risk Management provides such insights from a robust collection of ERM pro-
grams across public companies and private organizations. I commend the editors
and contributors for making a significant contribution to ERM by sharing their
experiences.”
—James Lam, president, James Lam & Associates; director and Risk Oversight
Committee chairman, E∗TRADE Financial Corporation;
author, Enterprise Risk Management—From Incentives to Controls
“For those who still think that enterprise risk management is just a fad, the varied
examples of practical value-generating uses contained in this book should dispel
any doubt that the discipline is here to stay! The broad collection of practices is
insightful for students, academics, and executives, as well as seasoned risk man-
agement professionals.”
—Carol Fox, ARM, director of Strategic and Enterprise Risk Practice, RIMS
“Managing risk across the enterprise is the new frontier of business management.
Doing so effectively, in my view, will be the single most important differentiating
factor for many enterprises in the twenty-first century. Implementing Enterprise Risk
Management: Case Studies and Best Practices is an innovative and important addition
to the literature and contains a wealth of insight in this critical area. This book’s
integration of theory with hands-on, real-world lessons in managing enterprise
risk provides an opportunity for its readers to gain insight and understanding that
could otherwise be acquired only through many years of hard-earned experience.
www.it-ebooks.info

http://www.it-ebooks.info/

I highly recommend this book for use by executives, line managers, risk managers,
and business students alike.”
—Douglas F. Prawitt, professor of Accounting at Brigham Young University,
and Committee of Sponsoring Organizations (COSO)
Executive Board member
“The real beauty of and value in this book is its case study focus and the wide
variety of firms profiled and writers’ perspectives shared. This will provide readers
with a wealth of details and views that will help them chart an ERM journey of their
own that is more likely to fit the specific and typically customized ERM needs of
the firms for whom they toil.”
—Chris Mandel, senior vice president, Strategic Solutions for Sedgwick;
former president of the Risk Management Society
and the 2004 Risk Manager of the Year
“Implementing Enterprise Risk Management looks at many industries through excel-
lent case studies, providing a real-world base for its recommendations and an
important reminder that ERM is valuable in many industries. I highly recommend
this text.”
—Russell Walker, Clinical associate professor, Kellogg School of Management;
author of Winning with Risk Management
“The body of knowledge in Implementing Enterprise Risk Management continues to
develop as business educators and leaders confront a complex and rapidly chang-
ing environment. This book provides a valuable resource for academics and prac-
titioners in this dynamic area.”
—Mark L. Frigo, director, Strategic Risk Management Lab,
Kellstadt Graduate School of Business, DePaul University
“The management of enterprise risk is one of the most vexatious problems con-
fronting boards and executives worldwide. This is why this latest book by Fraser,
Simkins, and Narvaez is a much needed and highly refreshing approach to the sub-
ject. The editors have managed to assemble an impressive list of contributors who,
through a series of fascinating real-life case studies, adroitly help educate readers
to better understand and deal with the myriad of risks that can assault, seriously
maim, and/or kill an organization. This is a ‘how to’ book written with the ‘risk
management problem solver’ in mind. It provides the link that has been missing
for effectively teaching ERM at the university and executive education levels and
it is an exceptional achievement by true risk management advocates.”
—Dr. Chris Bart, FCPA, founder and lead faculty,
The Directors College of Canada
“The Institute of Risk Management welcomes the publication of this highly practi-
cal text which should be of great interest to our students and members around the
world. Implementing Enterprise Risk Management brings together a fine collection of
detailed case studies from organizations of varying sizes and working in differ-
ent sectors, all seeking to enhance their business performance by managing their
risks more effectively, from the boardroom to the shop floor. This book makes a
valuable contribution to the body of knowledge of what works that will benefit the
development of the risk profession.”
—Carolyn Williams, technical director, Institute of Risk Management
www.it-ebooks.info

http://www.it-ebooks.info/

IMPLEMENTING
ENTERPRISE RISK
MANAGEMENT
www.it-ebooks.info

http://www.it-ebooks.info/

The Robert W. Kolb Series in Finance provides a comprehensive view of the field
of finance in all of its variety and complexity. The series is projected to include
approximately 65 volumes covering all major topics and specializations in finance,
ranging from investments, to corporate finance, to financial institutions. Each vol-
ume in the Kolb Series in Finance consists of new articles especially written for
the volume.
Each volume is edited by a specialist in a particular area of finance, who develops
the volume outline and commissions articles by the world’s experts in that partic-
ular field of finance. Each volume includes an editor’s introduction and approx-
imately thirty articles to fully describe the current state of financial research and
practice in a particular area of finance.
The essays in each volume are intended for practicing finance professionals, grad-
uate students, and advanced undergraduate students. The goal of each volume is
to encapsulate the current state of knowledge in a particular area of finance so that
the reader can quickly achieve a mastery of that special area of finance.
www.it-ebooks.info

http://www.it-ebooks.info/

IMPLEMENTING
ENTERPRISE RISK
MANAGEMENT
Case Studies and Best Practices
Editors
John R.S. Fraser
Betty J. Simkins
Kristina Narvaez
The Robert W. Kolb Series in Finance
www.it-ebooks.info

http://www.it-ebooks.info/

Cover Design: Wiley
Cover Image: © iStock.com/clauiad
Copyright © 2015 by John R.S. Fraser, Betty J. Simkins, Kristina Narvaev. All rights
reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted
in any form or by any means, electronic, mechanical, photocopying, recording, scanning,
or otherwise, except as permitted under Section 107 or 108 of the 1976 United States
Copyright Act, without either the prior written permission of the Publisher, or
authorization through payment of the appropriate per-copy fee to the Copyright
Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978)
646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission
should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River
Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at
http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their
best efforts in preparing this book, they make no representations or warranties with
respect to the accuracy or completeness of the contents of this book and specifically
disclaim any implied warranties of merchantability or fitness for a particular purpose. No
warranty may be created or extended by sales representatives or written sales materials.
The advice and strategies contained herein may not be suitable for your situation. You
should consult with a professional where appropriate. Neither the publisher nor author
shall be liable for any loss of profit or any other commercial damages, including but not
limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please
contact our Customer Care Department within the United States at (800) 762-2974, outside
the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand.
Some material included with standard print versions of this book may not be included in
e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is
not included in the version you purchased, you may download this material at
http://booksupport.wiley.com. For more information about Wiley products, visit
www.wiley.com.
Library of Congress Cataloging-in-Publication Data:
ISBN 978-1-118-69196-0 (Hardcover)
ISBN 978-1-118-74576-2 (ePDF)
ISBN 978-1-118-74618-9 (ePub)
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
www.it-ebooks.info

http://www.copyright.com

http://www.wiley.com/go/permissions

http://booksupport.wiley.com

http://www.wiley.com

http://www.it-ebooks.info/

To Wendy, my wonderful wife and my inspiration, and to my
parents who instilled in me a lifelong thirst for learning.
—John Fraser
To my husband (Russell) and our family: sons and daughters-
in-law (Luke & Stephanie and Walt & Lauren), daughter and
son-in-law (Susan & Jason), and our youngest daughter (April).
Thank you for your love, support, and encouragement!
—Betty Simkins
I would like to thank my husband and four children for support-
ing me on my journey of writing two chapters and co-editing this
book. I would also like to thank the Risk and Insurance Manage-
ment Society for supporting me during my educational years
and providing great workshops and conferences on enterprise
risk management.
—Kristina Narvaez
www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

Contents
Foreword xiii
1 Enterprise Risk Management Case Studies:
An Introduction and Overview 1
John R.S. Fraser, Betty J. Simkins, and Kristina Narvaez
PART I Overview and Insights for Teaching ERM 17
2 An Innovative Method to Teaching Enterprise Risk
Management: A Learner-Centered Teaching Approach 19
David R. Lange and Betty J. Simkins
PART II ERM Implementation at Leading Organizations 37
3 ERM at Mars, Incorporated: ERM for Strategy
and Operations 39
Larry Warner
4 Value and Risk: Enterprise Risk Management at Statoil 59
Alf Alviniussen and Håkan Jankensgård
5 ERM in Practice at the University of California
Health System 75
Grace Crickette
6 Strategic Risk Management at the LEGO Group:
Integrating Strategy and Risk Management 93
Mark L. Frigo and Hans Læssøe
7 Turning the Organizational Pyramid Upside Down:
Ten Years of Evolution in Enterprise Risk Management
at United Grain Growers 107
John Bugalla
ix
www.it-ebooks.info

http://www.it-ebooks.info/

x Contents
8 Housing Association Case Study of ERM in a
Changing Marketplace 119
John Hargreaves
9 Lessons from the Academy: ERM Implementation in
the University Setting 143
Anne E. Lundquist
10 Developing Accountability in Risk Management: The
British Columbia Lottery Corporation Case Study 179
Jacquetta C. M. Goy
11 Starting from Scratch: The Evolution of ERM at the
Workers’ Compensation Fund 207
Dan M. Hair
12 Measuring Performance at Intuit: A Value-Added
Component in ERM Programs 227
Janet Nasburg
13 TD Bank’s Approach to an Enterprise Risk
Management Program 241
Paul Cunha and Kristina Narvaez
PART III Linking ERM to Strategy and Strategic
Risk Management 251
14 A Strategic Approach to Enterprise Risk Management
at Zurich Insurance Group 253
Linda Conrad and Kristina Narvaez
15 Embedding ERM into Strategic Planning at the City
of Edmonton 281
Ken Baker
16 Leveraging ERM to Practice Strategic Risk Management 305
John Bugalla and James Kallman
PART IV Specialized Aspects of Risk Management 319
17 Developing a Strategic Risk Plan for the Hope City
Police Service 321
Andrew Graham
18 Blue Wood Chocolates 335
Stephen McPhie and Rick Nason
www.it-ebooks.info

http://www.it-ebooks.info/

CONTENTS xi
19 Kilgore Custom Milling 363
Rick Nason and Stephen McPhie
20 Implementing Risk Management within Middle
Eastern Oil and Gas Companies 377
Alexander Larsen
21 The Role of Root Cause Analysis in Public Safety
ERM Programs 397
Andrew Bent
22 JAA Inc.—A Case Study in Creating Value from
Uncertainty: Best Practices in Managing Risk 427
Julian du Plessis, Arnold Schanfield, and Alpaslan Menevse
23 Control Complacency: Rogue Trading
at Société Générale 461
Steve Lindo
24 The Role of VaR in Enterprise Risk Management:
Calculating Value at Risk for Portfolios Held by the
Vane Mallory Investment Bank 489
Allissa A. Lee and Betty J. Simkins
25 Uses of Efficient Frontier Analysis in Strategic Risk
Management: A Technical Examination 501
Ward Ching and Loren Nickel
PART V Mini-Cases on ERM and Risk 523
26 Bim Consultants Inc. 525
John R.S. Fraser
27 Nerds Galore 529
Rob Quail
28 The Reluctant General Counsel 535
Norman D. Marks
29 Transforming Risk Management at Akawini Copper 539
Grant Purdy
30 Alleged Corruption at Chessfield: Corporate
Governance and the Risk Oversight Role of the Board
of Directors 547
Richard Leblanc
www.it-ebooks.info

http://www.it-ebooks.info/

xii Contents
31 Operational Risk Management Case Study:
Bon Boulangerie 555
Diana Del Bel Belluz
PART VI Other Case Studies 559
32 Constructive Dialogue and ERM: Lessons from the
Financial Crisis 561
Thomas H. Stanton
33 Challenges and Obstacles of ERM Implementation
in Poland 577
Zbigniew Krysiak and Sl̄awomir Pijanowski
34 Turning Crisis into Opportunity: Building an ERM
Program at General Motors 607
Marc S. Robinson, Lisa M. Smith, and Brian D. Thelen
35 ERM at Malaysia’s Media Company Astro: Quickly
Implementing ERM and Using It to Assess the
Risk-Adjusted Performance of a Portfolio of Acquired
Foreign Companies 623
Patrick Adam K. Abdullah and Ghislain Giroux Dufort
About the Editors 649
Index 651
www.it-ebooks.info

http://www.it-ebooks.info/

Foreword
Enterprise Risk Management is an evolving discipline focused on a com-plex and still imperfectly-understood subject. In such a situation, science isadvanced best by collecting data from multiple, independent sites. A rich
set of observations educates the field’s scholars and practitioners and provides the
foundation for them to develop descriptive and normative theories as well as cod-
ified best practices about the subject.
The authors—Fraser, Simkins, and Narvaez—have done an invaluable service
to advance the science of enterprise risk management by collecting an extensive
number of wonderful case studies that describe innovative risk management prac-
tices in a diverse set of companies around the world. This book should be an
extremely valuable source of knowledge for anyone interested in the emerging
and evolving field of risk management. We should be grateful to the editors and
to each chapter author for expanding the body of knowledge for risk management
professionals and academics.
Robert S. Kaplan
Senior Fellow, Marvin Bower Professor
of Leadership Development, Emeritus
Harvard University
xiii
www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 1
Enterprise Risk Management
Case Studies
An Introduction and Overview
JOHN R.S. FRASER
Senior Vice President, Internal Audit, and former Chief Risk Officer, Hydro One
Networks Inc.
BETTY J. SIMKINS
Williams Companies Chair of Business and Professor of Finance, Oklahoma State
University
KRISTINA NARVAEZ
President and Owner of ERM Strategies, LLC
Businesses, business schools, regulators, and the public are now scrambling to
catch up with the emerging field of enterprise risk management.
—Robert Kaplan (quote from Foreword in Fraser and Simkins, 2010)
Most executives with MBA degrees were not taught ERM. In fact, there are only
a few universities that teach ERM. So some business school graduates are strong
in finance, marketing, and management theory, but they are limited in terms of
critical thinking, business acumen, and risk analysis skills.
—Paul Walker1
THE EVOLUTION OF ENTERPRISE
RISK MANAGEMENT
Over the past two decades enterprise risk management (ERM) has evolved
from concepts and visions of how risks should be addressed to a method-
ology that is becoming entrenched in modern management and is now
increasingly expected by those in oversight roles (e.g., governing bodies and
regulators). As Felix Kloman describes in his chapter “A Brief History of Risk Man-
agement,” published in Fraser and Simkins (2010), many of the concepts go back
a very long time and many of the so-called newly discovered techniques can be
1
www.it-ebooks.info

http://www.it-ebooks.info/

2 Implementing Enterprise Risk Management
referenced to the earlier writings and practices described by Kloman. However,
it is only from around the mid-1990s that the concept of giving a name to manag-
ing risks in a holistic way across the many operating silos of an enterprise started
to take hold. In the 1990s, terms such as integrated risk management and enterprise-
wide risk management were also used. Many thought leaders, for example, those
who created ISO 31000,2 believe that the term risk management is all that is needed
to describe good risk management; however, many others believe that the latter
term is often used to describe risk management at the lower levels of the organiza-
tion and does not necessarily capture the concepts of enterprise-level approaches
to risk. As a result, the term ERM is used throughout this book.
As ERM continues to evolve there is still much discussion and confusion over
exactly what it is and how it should be achieved. It is important to realize that
it is still evolving and may take many more years before it is fully codified and
practiced in a consistent way. In fact, there is a grave danger now of believing
that there is only one way of doing ERM. This is probably a mistake by regula-
tors who have too eagerly seized some of these concepts and are trying to impose
them when the methods are not fully understood, and in some cases the require-
ments are unlikely to produce the desired results. As Fraser and Simkins (2010)
noted in their first book on ERM: “While regulatory interest can force ERM into
companies, if not done well, it can become another box-ticking exercise that adds
little value.”3
The leading and most commonly agreed4 guideline to holistic risk manage-
ment is ISO 31000. However, it should be mentioned that in the United States
the COSO 2004 Enterprise Risk Management–Integrated Framework has been the
dominant framework used to date. Many organizations are currently adopting
one or the other of these frameworks and then customizing them to their own
context.
WHY THE NEED FOR A BOOK WITH ERM
CASE STUDIES?
Following the success of the earlier Enterprise Risk Management: Today’s Leading
Research and Best Practices for Tomorrow’s Executives by Fraser and Simkins (2010),
we found through our own teaching experiences, and by talking to others, that
there was an urgent need for a university-level textbook of ERM case studies to
help educate executives, risk practitioners, academics, and students alike about
the evolving methodology. As a result, Fraser and Simkins, together with Kristina
Narvaez, approached many of the leading ERM specialists to write case studies for
this book.
Surveys have also shown that there is a dire need for more case studies on ERM
(see Fraser, Schoening-Thiessen, and Simkins 2008). Additionally, surveys of risk
executives report that business risk is increasing due to new technologies, faster
rate of change, increases in regulatory risk, and more (PWC 2014). As Paul Walker
of St. John’s University points out in the opening quote of the 2014 American Pro-
ductivity & Quality Center (APQC) report on ERM, “Most executives with MBA
degrees were not taught ERM. In fact, there are only a few universities that teach
ERM. So some business school graduates are strong in finance, marketing, and
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT CASE STUDIES 3
management theory, but they are limited in terms of critical thinking, business acu-
men, and risk analysis skills.” Learning Centered Teaching (LCT), as discussed in
Chapter 2, is an ideal way to achieve this. Using LCT and the case study approach,
students actively participate in the learning process through constructive reflective
reasoning, critical thinking and analysis, and discussion of key issues. This is the
first book to provide such a broad coverage of case studies on ERM.
The case studies that follow are from some of the leading academics and prac-
titioners of enterprise risk management. While many of the cases are about real-life
situations, there are also those that, while based on real-life experiences, have had
names changed to maintain confidentiality or are composites of several situations.
We are deeply indebted to the authors and to the organizations that agreed so
kindly to share their stories to help benefit future generations of ERM practition-
ers. In addition, we have added several chapters where we feel the fundamentals
of these specialized techniques (e.g., VaR) deserve to be understood by ERM stu-
dents and practitioners. Each case study provides opportunities for executives, risk
practitioners, and students to explore what went well, what could have been done
differently, and what lessons are to be learned.
Teachers of ERM will find a wealth of material to use in demonstrating ERM
principles to students. These can be used for term papers or class discussions, and
the approaches can be contrasted to emphasize different contexts that may require
customized approaches. This book introduces the reader to a wide range of con-
cepts and techniques for managing risks in a holistic way, by correctly identifying
risks and prioritizing the appropriate responses. It offers a broad overview of the
various types of ERM techniques, the role of the board of directors, risk tolerances,
profiles, workshops, and allocation of resources, while focusing on the principles
that determine business success.
Practitioners interested in implementing ERM, enhancing their knowledge on
the subject, or wishing to mature their ERM program, will find this book an abso-
lute must resource to have. Case studies are one of the best ways to learn more on
this topic.
This book is a companion to Enterprise Risk Management: Today’s Leading
Research and Best Practices for Tomorrow’s Executives (Fraser and Simkins 2010).
Together, these two books can create a curriculum of study for business students
and risk practitioners who desire to have a better understanding of the world of
enterprise risk management and where it is heading in the future. Boards and
senior leadership teams in progressive organizations are now engaging in building
ERM into their scenario-planning and decision-making processes. These forward-
looking organizations are also integrating ERM into the business-planning pro-
cess with resource allocation and investment decisions. At the business unit
level, ERM is being used to measure the performance of risk-taking activities of
employees.
As these case studies demonstrate, ERM is a continuous improvement process
and takes time to evolve. As can be gleaned from these case studies, most firms that
have taken the ERM journey started with a basic ERM language, risk identification,
and risk-assessment process and then moved down the road to broaden their pro-
grams to include risk treatments, monitoring, and reporting processes. The ulti-
mate goal of ERM is to have it embedded into the risk culture of the organization
and drive the decision-making process to make more sound business decisions.
www.it-ebooks.info

http://www.it-ebooks.info/

4 Implementing Enterprise Risk Management
SUMMARY OF THE BOOK CHAPTERS
As mentioned earlier, the purpose of this book is to provide case studies on ERM
in order to educate executives, risk practitioners, academics, and students alike
about this evolving methodology. To achieve this goal, the book is organized into
the following sections:
Part I: Overview and Insights for Teaching ERM
Part II: ERM Implementation at Leading Organizations
Part III: Linking ERM to Strategy and Strategic Risk Management
Part IV: Specialized Aspects of Risk Management
Part V: Mini-Cases on ERM and Risk
Part VI: Other Case Studies
Brief descriptions of the contributors and the chapters are provided next.
PART I: OVERVIEW AND INSIGHTS FOR
TEACHING ERM
The first two chapters provide an overview of ERM and guidance on ERM educa-
tion. As we have pointed out, education on ERM is crucial and more universities
need to offer courses in this area. Our conversations with many ERM educators
and consultants highlight how extremely challenging it is to achieve excellence in
ERM education.
Chapter 2, “An Innovative Method to Teaching Enterprise Risk Manage-
ment: A Learner-Centered Teaching Approach,” offers insights and suggestions
on teaching ERM. This chapter covers the concept of flipping the classroom with
learner-centered teaching (LCT), distinguishes it from traditional lectures, and
describes how it can be used in teaching ERM. The LCT approach emphasizes
active student participation and collaboration on in-class activities such as case
studies versus the traditional lecture approach. This chapter provides several
examples as to how LCT can be applied in teaching ERM, utilizing Fraser and
Simkins’ (2010) book. David R. Lange and Betty J. Simkins, both experienced ERM
educators, team together to write this chapter. David Lange, DBA, is an Auburn
University Montgomery (AUM) Distinguished Research and Teaching Professor of
Finance. He has received many prestigious awards for both research and teaching
from the University and from several academic associations. He has taught many
courses in the area of risk management and has consulted in a significant num-
ber of individual and class insurance–related cases in both state and federal court.
Betty Simkins, PhD, the Williams Companies Chair of Business and Professor of
Finance at Oklahoma State University, is coeditor of this book.
PART II: ERM IMPLEMENTATION AT
LEADING ORGANIZATIONS
Part II is a collection of ERM case studies that give examples of how ERM was
developed and applied in major organizations around the world. Note that there
is no perfect ERM case study and the objective is for readers to assess what they
believe was successful or not so successful about these ERM programs.
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT CASE STUDIES 5
The first case study in this book describes ERM at Mars, Inc. Larry Warner, who
is the former corporate risk manager at Mars, Inc. and now is president of Warner
Risk Group, describes the ERM program at the company in Chapter 3. Mars is
a global food company and one of the largest privately held corporations in the
United States. It has more than 72,000 associates and annual net sales in excess
of $33 billion across six business segments—Petcare, Chocolate, Wrigley, Food,
Drinks, and Symbioscience. Its brands include Pedigree, Royal Canin, M&M’s,
Snickers, Extra, Skittles, Uncle Ben’s, and Flavia. With such complex business oper-
ations, Mars recognized the importance of providing its managers with a tool to
knowledgably and comfortably take risk in order to achieve its long-term goals.
Mars business units use its award-winning process to test their annual operating
plan and thereby increase the probability of achieving these objectives.
The case study in Chapter 4 entitled “Value and Risk: ERM in Statoil” was writ-
ten by Alf Alviniussen, who is the former Group Treasurer and Senior Vice Pres-
ident of Norsk Hydro ASA, Oslo, Norway, and Håkan Jankensgård who holds
a PhD in risk management from Lund University, Sweden. Håkan is also a for-
mer risk manager of Norsk Hydro. In this case study, the authors discuss ERM at
Statoil, one of the top oil and gas companies in the world, located in Norway. In
Statoil, understanding and managing risk is today considered a core value of the
company, which is written into the corporate directives and widely communicated
to employees. ERM is thoroughly embedded in the organization’s work processes,
and its risk committee has managed the transition from a “silo”-mentality to pro-
moting Statoil’s best interests in areas where risk needs to be considered.
Chapter 5, called “ERM in Practice at University of California Health Systems,”
is written by their former Chief Risk Officer (CRO), Grace Crickette, who is now
the Senior Vice President and Chief Risk and Compliance Officer of AAA Northern
California, Nevada, and Utah. The University of California’s (UC) Health System
is comprised of numerous clinical operations, including five medical centers that
support the clinical teaching programs for the university’s medical and health sci-
ence school and handle more than three million patient visits each year. ERM plays
an important role at the UC Health System and assists the organization in assess-
ing and responding to all risks (operational, clinical, business, accreditation, and
regulatory) that affect the achievement of the strategic and financial objectives of
the UC Health System.
The descriptive case study in Chapter 6, written by Dr. Mark Frigo from
DePaul University and Hans Læssøe, the Strategic Risk Manager of the LEGO
Group, provides a great example of integrating risk management in strategy devel-
opment and strategy execution at the LEGO Group, which is based on an initiative
started in late 2006 and led by co-author Hans Læssøe. The LEGO methodology is
also part of the continuing work of the Strategic Risk Management Lab at DePaul
University, which is identifying and developing leading practices in integrating
risk management with strategy development and execution.
United Grain Growers (UGG), a conservative 100-year-old Winnipeg, Canada-
based grain handler and distributor of farm supplies, was an ERM pioneer. Chap-
ter 7 called “Turning the Organizational Pyramid Upside Down: Ten Years of Evo-
lution in Enterprise Risk Management at United Grain Growers” analyzes the ERM
program at United Grain Growers 15 years later. When UGG announced that it
had implemented a new integrated risk-financing program in 1999, it received
a great deal of attention in the financial press. CFO magazine hailed the UGG
www.it-ebooks.info

http://www.it-ebooks.info/

6 Implementing Enterprise Risk Management
program as “the deal of the decade.” The Economist characterized it as a “revo-
lutionary advance in corporate finance,” and Harvard University created a UGG
case study. While most outside attention focused on the direct financial benefits
of implementing the program (protection of cash flow, the reduced risk-capital
required, and a 20 percent increase in stock price), scant attention was given to the
less tangible and therefore less measurable issues of governance, leadership, and
corporate culture—the conditions that enabled such innovation. It was a combi-
nation of a collaborative leadership open to new ideas, a culture of controlled risk
taking, and active risk oversight by the board that produced a strategic approach
to UGG’s risk management process. This chapter is written by John Bugalla, who
is the principal of ermINSIGHTS.
John Hargreaves has written Chapter 8 titled “Housing Association Case
Study of ERM in a Changing Marketplace.” He has a mathematics degree from
Cambridge University and six years strategy consultancy experience at KPMG.
This case study features four real-life charitable housing associations in England
and Wales, each with a different strategy and risk environment. Simple yet prac-
tical tools to assist in risk identification and prioritization are also presented. This
case study has two main aims. The first is to help develop an understanding of
the importance of ERM in a charitable context, showing that modern charities are
often very active organizations that face significant risks. Second, the case aims to
illustrate the need for a close relationship between risk assessment and strategy
development, particularly in sectors where objectives are defined in social as well
as economic terms. Each of the four cases has a different perspective and challenges
the student or practitioner to identify and assess the risk and develop possible risk
treatments for each.
Chapter 9, “Lessons from the Academy: ERM Implementation in the Univer-
sity Setting,” was written by Anne E. Lundquist. She is pursuing a PhD in the
Educational Leadership program at Western Michigan University with a concen-
tration in Higher Education Administration. This chapter explores the unique
aspects of the University of Washington’s (UW) risk environment, including how
leadership, goal-setting, planning, and decision-making differ from the for-profit
sector. The lack of risk management regulatory requirements, combined with cul-
tural and environmental differences, helps explain why there are a limited number
of fully evolved ERM programs at colleges and universities. The second half of the
chapter explores the decision to adopt and implement ERM at UW, including a
description of early decisions, a timeline of how the program evolved, a discus-
sion of the ERM framework, and examples of some of the tools used in the risk
management process. It traces the evolution of the UW program as well as demon-
strates decisions that administrators made to tailor ERM to fit the decentralized
culture of a university.
The case study in Chapter 10, “Developing Accountability in Risk Manage-
ment: The British Columbia Lottery Corporation Case Study,” demonstrates how
ERM was successfully implemented in a Canadian public sector organization over
a 10-year period. Jacquetta Goy, author of this chapter, was the Senior Manager,
Risk Advisory Services at British Columbia Lottery Corporation and was respon-
sible for establishing and developing the ERM program. Currently, Jacquetta is
the Director of Risk Management at Thompson Rivers University, Canada. This
case study focuses on initiation, early development, and sustainment of the ERM
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT CASE STUDIES 7
program, highlighting some of the barriers and enablers that affected implemen-
tation. This case study includes a focus on developing risk profiles; the role of
risk managers, champions, and committees; and the development of effective risk
evaluation tools. The approach to ERM has evolved from informal conversations
supported by an external assessment, through a period of high-level corporate
focus supported by a dedicated group of champions using voting technology to
an embedded approach, where risk assessment is incorporated into both opera-
tional practice and planning.
Chapter 11, “Starting from Scratch: The Evolution of ERM at the Workers Com-
pensation Fund,” describes the evolution of a formal ERM program at a midsize
property casualty insurance carrier. This chapter is authored by Dan Hair, the CRO
of the Workers Compensation Fund. In this chapter, the motivations of executive
management and the board of directors in taking existing strategic risk manage-
ment discussions to a higher level are reviewed. The step-by-step actions taken by
the company to develop the ERM program are explained in chronological order.
External resources used are also commented upon. The chapter concludes with a
discussion of striking an ongoing balance between program rigor, documentation,
and business needs.
Chapter 12, “Measuring Performance at Intuit: A Value-Added Component
in ERM Programs,” shows how Intuit, maker of Quicken, QuickBooks, and Turbo-
Tax, is committed to creating new and easier ways for consumers and businesses to
tackle life’s financial chores, giving them more time to live their lives and
run their businesses. This case study shows how Intuit, a global company, is
exposed to a wide range of customer-related and operational risks. Understand-
ing the risk landscape enables Intuit to formulate and execute strategies to address
potential pitfalls and opportunities. The author, Janet Nasburg, is Chief Risk Offi-
cer at Intuit. Janet is responsible for driving Intuit’s ERM capability, ensuring that
the company appropriately balances opportunities and risks to achieve optimal
business results. Before Intuit, Janet spent 16 years in various finance roles at Visa,
and has more than 30 years of risk management and finance experience.
Chapter 13 describes TD Bank’s ERM program and how it has been developed
to reinforce the risk culture and ensure that all stakeholders have a common under-
standing of how risks are addressed within the organization. This is achieved by
identifying the risks to TD Bank’s business strategy and operations, determining
the types of risk it is prepared to take, establishing policies and practices to gov-
ern risks, and following an ERM framework to manage those risks. This chapter is
co-authored by Paul Cunha and Kristina Narvaez. Paul Cunha is Vice President,
Enterprise Risk Management at TD Bank. During his career at TD Bank, he has
spent time in risk management, internal audit, retail banking, commercial bank-
ing, and corporate and investment banking. Kristina Narvaez is the president and
owner of ERM Strategies, LLC, and is co-editor of this book.
PART III: LINKING ERM TO STRATEGY AND
STRATEGIC RISK MANAGEMENT
Part III of this book demonstrates the link between ERM and strategy in what is
now being called strategic risk management (SRM). SRM represents an important
evolution in enterprise risk management, shifting from a reactive approach to a
www.it-ebooks.info

http://www.it-ebooks.info/

8 Implementing Enterprise Risk Management
proactive approach in dealing with the large spectrum of risks across the organi-
zation. These case studies view their risk-taking activities in a strategic way, not
only to protect the organization’s value and assets, but also to be able to capture
new value that is in alignment with the strategic goals of the organization.
Zurich Insurance Group, the case study in Chapter 14, demonstrates the link
between ERM and strategy. Zurich is a global insurance carrier and is exposed to
a wide range of risks. Zurich recognizes that taking the right risks is a necessary
part of growing and protecting shareholder value. It is careful not to miss valu-
able market opportunities that could attract the best talent and investor capital, but
must also balance the growth opportunities with the reality that it is operating in
a complex world economy. This chapter is co-authored by Linda Conrad, Director
of Strategic Business Risk Management at Zurich and Kristina Narvaez, president
and owner of ERM Strategies, LLC and co-editor of this book. Linda leads a global
team responsible for delivering tactical solutions to Zurich and to its customers on
strategic issues such as business resilience, supply chain risk, ERM, risk culture,
and total risk profiling.
Chapter 15, “Embedding ERM into Strategic Planning at the City of Edmon-
ton,” is written by Ken Baker, who is their ERM Program Manager. This study
examines the process used by the City of Edmonton in Alberta, Canada, to estab-
lish its strategic ERM model. After examining several existing frameworks, the
City decided on a framework based on the ISO 31000 risk management standard,
but customized to suit the City’s needs. During the process, administration had
to weigh factors common to any large organization, as well as those specific to
governments in general and municipalities in particular. The chronicling of this
process may assist those in similar organizations to more successfully implement
their own ERM and SRM programs.
Chapter 16 describes a brief history of the evolution of enterprise risk
management and describes a new and innovative approach (value mapping) to
measuring the potential value by taking risks. This chapter also provides a model
for incorporating the ERM process into strategic planning. John Bugalla, Principal
of ermINSIGHTS and author of Chapter 7, and James Kallman, a finance professor
at St. Edward’s University, co-author this chapter. John’s experience includes
30 years in the risk management profession serving as Managing Director of
Marsh & McLennan, Inc., Willis Group, Plc., and Aon Corp., before founding
ermINSIGHTS. James teaches courses in finance, statistics, and risk management.
PART IV: SPECIALIZED ASPECTS OF
RISK MANAGEMENT
Part IV of the book captures unique aspects of ERM so that the reader can learn
about the many broad applications, including insights into managing specific
types of risk. This part starts with a case study in Chapter 17 of the challenges
of risk management within a typical police department. This case is followed by
eight additional chapters addressing other intriguing aspects of risk management.
Andrew Graham reveals the complex and challenging aspects of risk manage-
ment in Chapter 17, “Developing a Strategic Risk Plan for the Hope City Police Ser-
vice.” This fictional case study was developed based on many years of teaching risk
management to police forces. The setting is a medium-sized but growing city that
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT CASE STUDIES 9
is facing many issues, including changes in demographics, traffic issues, budgetary
challenges, and so on. The student is required to act as a consultant who has been
hired by the chief of police to assist him in briefing the Police Services Board and the
mayor in understanding the most critical risks to their objective of having a best-
in-class police service for their citizens. Andrew Graham researches, teaches, and
writes on public-sector management, financial management, integrated risk man-
agement, and governance at Queen’s University School of Policy Studies, Canada,
as well as a variety of international and Canadian venues. Andrew had an exten-
sive career in Canada’s criminal justice system and has taught and worked with
police services and police boards and commissioners in a variety of ways for the
past 10 years.
Chapter 18, “Blue Wood Chocolates,” is designed to facilitate discussion of the
implementation of an ERM framework, corporate governance issues, and com-
modity risk management. The situation that this fictional company faces is typi-
cal of many midsize companies that have performed satisfactorily in the past but
are exposed, often unknowingly, to major potential risks and do not have the
internal governance and risk management structures to identify, quantify, and
manage such risks adequately. In particular, this case illustrates commodity and
foreign currency exposures, and challenges the student to investigate the specifics
of hedging such positions. Rick Nason, PhD, CFA, and Stephen McPhie, CA, coau-
thored this chapter. Rick is an associate professor of finance at Dalhousie Univer-
sity, Canada, and is also a founding partner of RSD Solutions, a risk management
consultancy firm. His coauthor, Stephen McPhie, CA, is a partner of RSD Solu-
tions Inc. and has also held various positions in the United States, Canada, and the
United Kingdom with a major Canadian bank.
Foreign exchange (FX) risk management is one of the greatest financial risks a
company faces when expanding globally. Chapter 19, “Kilgore Custom Milling,”
illuminates the myriad of issues that arise when hedging FX risk, such as faced by
a midsize original equipment manufacturer (OEM) operating in the automobile
industry. Kilgore Custom Milling (a fictional company) needs to develop a hedg-
ing strategy to manage its foreign exchange risk for a new contract and decide what
type of derivatives to use, what size of hedge to implement, and how the com-
pany’s financial risk management fits in with its overall ERM process. Rick Nason
and Stephen McPhie, coauthors of Chapter 18, team together again to explore the
complex and challenging issues that many companies face with FX risk.
ERM is currently of very high interest to companies operating in the Mid-
dle East, an area that presents unique challenges for implementation. Alexander
Larsen captures this scenario in Chapter 20, “Implementing Risk Management
within Middle Eastern Oil and Gas Companies.” This case study is based on real-
life examples of Middle Eastern oil and gas companies and captures the challenges
of implementing risk management in the Middle East. Alexander Larsen holds a
degree in risk management from Glasgow Caledonian University and is a Fellow
of the Institute of Risk Management. He has over 10 years of experience across a
wide range of sectors, including oil and gas, construction, utilities, finance, and the
public sector. Alexander has considerable expertise in training and working with
organizations to develop, enhance, and embed their ERM.
Public safety organizations are increasingly adopting sophisticated enterprise
governance and risk management techniques as a means of managing their
www.it-ebooks.info

http://www.it-ebooks.info/

10 Implementing Enterprise Risk Management
programs and expenditures. Root cause analysis can provide these agencies with
detailed insights into the problems and issues they face, and provide them with
the information they need to make informed decisions on risk management.
Chapter 21, “The Role of Root Cause Analysis in Public Safety ERM Programs,”
explores these issues by presenting six common root cause analysis techniques
that are applied in a public safety or law enforcement environment. The chapter
author, Andrew Bent, is a practicing risk manager with a large Canadian inte-
grated energy company and was previously in charge of ERM for one of Canada’s
largest municipal police services.
Chapter 22, “JAA Inc.—A Case Study in Creating Value from Uncertainty: Best
Practices in Managing Risk,” provides extensive details about ERM implementa-
tion in a fictional international organization and discusses topics including gover-
nance structure, the processes, and the various tools used. The case is built on the
principles and guidance of ISO 31000 and the implementation guidance created
by The Australian and New Zealand Hand Book HB 436. This case emphasizes the
roles of the heads of the internal audit function and the risk management func-
tion. The three coauthors of this chapter have extensive experience in risk man-
agement. Julian du Plessis, Head of Internal Audit at AVBOB Mutual Assurance
Society, South Africa, has over eight years of financial sector experience. Arnold
Schanfield is a Principal with Schanfield Risk Management Advisors LLC, and is an
internal audit and risk professional with diversified industry expertise. Alpaslan
Menevse is currently the Risk Officer at Sekerbank T.A.S., which has in excess of
310 branches in Turkey. He has 28 years of experience in information systems, both
as an academic and as a practitioner.
A book on ERM case studies is not complete without some coverage of
risk management failures. One of the most famous failures involving opera-
tional risk is discussed in Chapter 23, “Control Complacency: Rogue Trading
at Société Générale.” In January 2008, Société Générale uncovered €49 billion of
unauthorized equity positions at its Paris head office, which cost €4.9 billion to
unwind. Using an interactive format, this case study analyzes the origins, actors,
causes, and consequences of this notorious control breakdown and derives risk
management lessons from it in the areas of corporate governance, controls, com-
pliance, systems, technology, and reputation risk. The author, Steve Lindo, Princi-
pal, SRL Advisory Services, has many years of experience in ERM and provides a
thorough and fascinating coverage of this disaster.
Value at risk (VaR) is one of the most widely used techniques to measure
financial risks, particularly in the area of investment portfolios. However, it is a
technique that has not been fully understood by many risk managers. In Chapter
24, “The Role of VaR in Enterprise Risk Management: Calculating Value at Risk
for Portfolios Held by the Vane Mallory Investment Bank,” VaR is described along
with its underlying assumptions, advantages, and disadvantages. Several exam-
ples for single assets are detailed for both the dollar and percentage VaR estimation
methods. The main focus of this case study is a tutorial on calculating VaR for port-
folios of assets using the covariance approach utilized in portfolio theory. Allissa
A. Lee coauthored this case study with Betty J. Simkins. Allissa is an assistant
professor of finance in the College of Business Administration at Georgia South-
ern University. She has published several academic articles and also worked
in the mortgage industry for MidFirst Bank. Betty, coeditor of this book, is the
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT CASE STUDIES 11
Williams Companies Chair of Business and Professor of Finance at Oklahoma
State University.
Chapter 25, “Uses of Efficient Frontier Analysis in Strategic Risk Manage-
ment,” covers an advanced analytical technique, efficient frontier analysis (EFA),
where complex property and casualty risk profiles are being considered. This chap-
ter provides insights into risk portfolio volatility, pricing, and insurance layering
efficiency using EFA and is applied to a risk portfolio that presents catastrophic
loss potential within the context of strategic risk management. This chapter’s coau-
thors are Ward Ching, who is Vice President, Risk Management Operations, at
Safeway Inc., and Loren Nickel, who is Regional Director and Actuary, Actuarial
and Analytics Practice, at Aon Global Risk Consulting. Both authors have extensive
experience in property and casuality risk management and share their expertise in
this specialized topic of ERM.
PART V: MINI-CASES ON ERM AND RISK
Mini-cases are a very powerful and highly useful resource in teaching ERM and
can be easily utilized in short time periods such as a one-hour class segment. This
part fills this gap in the education literature on ERM and includes six fictional mini-
cases that have been developed by leading risk practitioners who draw from the
wealth of their experiences in various applications of risk management.
Chapter 26, “Bim Consultants Inc.,” is based on a real event in which a
company was faced with an important strategic acquisition decision. All names
and data have been changed for confidentially reasons. The purpose of the case is
to illustrate the complexity of making strategic decisions and how greed and ego
can cause a firm to change strategy that may put the business at risk. The author,
John Fraser, Senior Vice President, Internal Audit, and former Chief Risk Officer
of Hydro One Networks Inc., is also coeditor of this book. Fraser is currently
an adjunct professor at York University, Canada, and a member of the faculty
of the Directors College. He is a recognized authority on ERM and has written
extensively on the topic.
Chapter 27, “Nerds Galore,” is based on a fictitious small services company
that appears to be on the verge of a major downturn. The focus of the case study is
human resources–related risks, and the exercise is to conduct a risk assessment to
aid in making the decision on whether to proceed with a major human resources
strategy. This case study could be used as the basis for an actual risk workshop sim-
ulation with students role-playing various positions on the management team. Rob
Quail, the author of this case study, draws on his extensive experience as Director
of ERM at Hydro One Networks Inc., and provides an excellent mini-case to illu-
minate ERM applications.
Can a company have a successful ERM program that does not involve a key
function, such as the legal department? And if not willing to participate, how do
you convince this department to commit to ERM? The reader is challenged with
tackling this crucial issue in Chapter 28, “The Reluctant General Counsel.” This
mini-case is about the implementation of ERM at a software company and illus-
trates the challenges faced when the general counsel of the company has reser-
vations and is not willing to support the implementation. The author, Norman
Marks, CPA, CRMA, has been chief audit executive of major global corporations
www.it-ebooks.info

http://www.it-ebooks.info/

12 Implementing Enterprise Risk Management
for over 20 years, and is highly regarded in the global profession of internal audit-
ing. Furthermore, he is a prolific blogger about internal audit, risk management,
governance, and compliance.
Chapter 29, “Transforming Risk Management at Akawini Copper,” describes
how the approach to managing risk can be transformed and enhanced in a com-
pany. The case study is based on a hypothetical mining company, Akawini Copper,
that has recently been acquired by an international concern. It draws on the practi-
cal concepts of ISO 31000 to show how a weak approach to risk management can be
enhanced to be more robust and comprehensive by following a logical framework
and transformation plan. The author, Grant Purdy, has worked in risk manage-
ment for more than 35 years, across a wide range of industries and in more than
25 countries. Grant is coauthor of the 2004 version of AS/NZS 4360 and also of
AS/NZS 5050, a standard for managing disruption-related risk, and has also writ-
ten many risk management handbooks and guides.
Richard Leblanc, PhD, who is a governance lawyer, certified management con-
sultant, and Associate Professor of Law, Governance, and Ethics at York Univer-
sity, draws on his extensive experience in board of director effectiveness when
writing Chapter 30, “Alleged Corruption at Chessfield: Corporate Governance and
the Risk Oversight Role of the Board of Directors.” Richard has advised regula-
tors on corporate governance guidelines, and, as part of his external professional
activities, has served as an external board evaluator and governance adviser for
many companies, as well as in an expert witness capacity in litigation concerning
corporate governance reforms. This case deals with the inner workings of a large
organization’s board of directors, including allegations of alleged corruption and
self-dealing, and provides the reader with a captivating application of risk man-
agement shortcomings in governance and internal controls.
Diana Del Bel Belluz, president and founder of Risk Wise, Inc., draws on her
experience in operational risk when writing Chapter 31, “Operational Risk Man-
agement Case Study: Bon Boulangerie.” This mini-case provides the opportunity
for students to discuss and present their knowledge of operational risk. It describes
the challenges and opportunities faced by a fictional bakery business in a small
city. The bakery’s owner has decided to expand the business for greater rewards,
but in doing so is faced with a number of operational challenges. Additional infor-
mation on the steps of operational risk management is available in Chapter 16 in
Fraser and Simkins (2010). Diana has many years of consulting experience in ERM,
and advances the practice of ERM through her thought leadership as an educator,
conference organizer, speaker, and author of ERM resources.
PART VI: OTHER CASE STUDIES
Many risk management lessons can be learned from the financial crisis of 2008,
and we begin this part with a chapter addressing this topic: Chapter 32, “Con-
structive Dialogue and ERM: Lessons from the Financial Crisis.” In this chapter,
Tom Stanton eloquently examines the critical distinctive factors between success-
ful and unsuccessful firms in the crisis and refers to the presence or absence of
these factors as constructive dialogue. Successful firms managed to create produc-
tive and constructive tension between those in the firm who wanted to do deals or
offer certain financial products and services and those who were responsible for
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT CASE STUDIES 13
limiting risk exposures. Instead of simply deciding to do a deal or not, successful
firms considered ways to hedge risks or otherwise reduce exposure from doing
the deal. Thomas H. Stanton is a Fellow of the Center for Advanced Governmen-
tal Studies at Johns Hopkins University, a director of the Association of Federal
Enterprise Risk Management, a former director of the National Academy of Public
Administration, and a former member of the federal Senior Executive Service.
An important objective in this book is to provide global coverage about ERM
by including insightful applications in various countries. Poland, after the transi-
tion into the free market economy in 1989, became open to knowledge and transfer
of the best practices from around the world. Chapter 33, “Challenges and Obstacles
of ERM Implementation in Poland,” draws on years of research, both formal and
informal, and documents the country’s first approaches to ERM implementation.
The successes, challenges, and weaknesses are described and provide a valuable
lesson for other countries, regions, or even organizations in how they might go
about implementing ERM. Two experts on ERM implementation in Poland teamed
together to write this chapter. Zbigniew Krysiak, PhD, is an associate professor of
finance at the Warsaw School of Economics in Poland. He is the author or coau-
thor of more than 100 publications, intended both for practitioners and for the aca-
demic community, concerning finance, risk management, financial engineering,
and banking. His coauthor, Sl̄awomir Pijanowski, PhD, is president of the POL-
RISK Risk Management Association in Poland, where he is responsible for devel-
opment of good risk management practices for the Polish market. He is coauthor
of the Polish book titled Risk Management for Sustainable Business published by the
Polish Ministry of the Economy and has many other accomplishments in the area
of risk management.
Chapter 34 entitled “Turning Crisis into Opportunity: Building an ERM Pro-
gram at General Motors” was written by leaders of ERM at GM—Marc Robinson,
Lisa Smith, and Brian Thelen. This case study chronicles the ground-up implemen-
tation of ERM at General Motors Company (GM), starting in 2010 after it emerged
from bankruptcy. While GM recognizes that its ERM is a work in progress, there
have been important successes both in improving the management of risk and
making better business decisions. Critical to these successes has been a clear strate-
gic vision on adding value for the business leaders that are the true risk owners,
unique decision tools such as game theory, and a continuous improvement mind-
set, including robust lessons learned. The study describes the lessons learned dur-
ing implementation and some of the unique approaches, tools, and techniques that
GM has employed. Examples of senior management reporting are also included.
The last case study in the book is also extremely insightful because it provides
an excellent example of an ERM application at a company in Asia. The authors
demonstrate in Chapter 35 how Astro, a Malaysia-based media company, uses
ERM to grow through international acquisitions, and how it implements enter-
prise risk management not only to ensure sound risk management by its foreign
subsidiaries and joint ventures, but also to make better risk/return decisions on
its portfolio of direct investments. Both authors are authorities on ERM imple-
mentation globally. Ghislain Giroux Dufort is President of Baldwin Risk Strate-
gies Inc., a consulting firm advising boards of directors and management teams
on risk governance and ERM and has over 25 years of experience. Patrick Adam
Kanagaratnam Abdullah is the Vice President of ERM for Astro Overseas Limited
www.it-ebooks.info

http://www.it-ebooks.info/

14 Implementing Enterprise Risk Management
(AOL), Malaysia. He specializes in the implementation of ERM practices across
AOL’s investments and has over 21 years of experience in various areas of risk
management.
CONCLUSION
As outlined above, the case studies and specialized topic chapters in this book
present an impressive coverage of new information on enterprise risk manage-
ment, and all chapters are written by leading ERM experts globally. To our
knowledge, this is the first book to be published that provides such comprehensive
coverage of ERM case studies. We hope you find this book a valuable resource in
your education and/or implementation of ERM. We welcome your comments and
suggestions. Answers to the end-of-chapter questions and detailed teaching notes
to most cases are available to instructors at www.wiley.com.
NOTES
1. See the 2014 American Productivity & Quality Center Report.
2. ISO 31000 was issued by the International Standards Organization in 2009. For a descrip-
tion refer to Chapter 7 of Fraser/Simkins by John Shortreed.
3. Fraser/Simkins, 15.
4. ISO 31000 has been agreed to by about 25 major countries of the international community
as the guideline for risk management.
REFERENCES
American Productivity & Quality Center (APQC). 2014. APQC Report. www.apqc.org/.
Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading
Research and Best Practices for Tomorrow’s Executives. Hoboken, NJ: John Wiley & Sons.
Fraser, John, Karen Schoening-Thiessen, and Betty J. Simkins. 2008. “Who Reads What Most
Often? A Survey of Enterprise Risk Management Literature Read by Risk Executives.”
Journal of Applied Finance 18:1 (Spring/Summer).
PWC (PricewaterhouseCoopers). 2014. Risk in Review: Re-Evaluating How Your Company
Addresses Risk. www.pwc.com/us/en/risk-assurance-services/publications/risk-in-
review-transformation-management.jhtml.
ABOUT THE EDITORS
John R.S. Fraser is the Senior Vice-President, Internal Audit, and former Chief Risk
Officer of Hydro One Networks Inc., Canada, one of North America’s largest elec-
tricity transmission and distribution companies. He is a Fellow of the Institute of
Chartered Accountants of Ontario, a Fellow of the Association of Chartered Cer-
tified Accountants (U.K.), a Certified Internal Auditor, and a Certified Informa-
tion Systems Auditor. He has over 30 years of experience in the risk and control
field mostly in the financial services sector, including areas such as finance, fraud,
derivatives, safety, environmental, computers, and operations. He is a member
of the Faculty at the Directors College for the Strategic Risk Oversight Program,
and has developed and teaches a master’s degree course entitled Enterprise Risk
www.it-ebooks.info

http://www.wiley.com

http://www.apqc.org/

http://www.pwc.com/us/en/risk-assurance-services/publications/risk-in-review-transformation-management.jhtml

http://www.pwc.com/us/en/risk-assurance-services/publications/risk-in-review-transformation-management.jhtml

http://www.pwc.com/us/en/risk-assurance-services/publications/risk-in-review-transformation-management.jhtml

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT CASE STUDIES 15
Management in the Masters in Financial Accountability Program at York Univer-
sity where he is an adjunct professor. He is a recognized authority on enterprise
risk management and has co-authored several academic papers on ERM. He is co-
editor of a best-selling university textbook released in 2010, Enterprise Risk Man-
agement: Today’s Leading Research and Best Practices for Tomorrow’s Executives.
Betty J. Simkins, PhD, is Williams Companies Chair of Business and Professor of
Finance at Oklahoma State University. Betty received her PhD from Case Western
Reserve University. She has had more than 50 publications in academic finance
journals. She has won awards for her teaching, research, and outreach, including
the top awards at Oklahoma States University: Regents Distinguished Research
Award and Outreach Excellence Award. Her primary areas of research are risk
management, energy finance, and corporate governance. Betty serves on the edi-
torial boards of nine academic journals, including the Journal of Banking and Finance;
is past coeditor of the Journal of Applied Finance; and is past president of the East-
ern Finance Association. She also serves on the Executive Advisory Committee of
the Conference Board of Canada’s Strategic Risk Council. In addition to this book,
she has published two others: Energy Finance and Economics: Analysis and Valuation,
Risk Management and the Future of Energy and Enterprise Risk Management: Today’s
Leading Research and Best Practices for Tomorrow’s Executives (co-edited with John
Fraser). Prior to entering academia, she worked in the corporate world for Cono-
coPhillips and Williams Companies. She conducts executive education courses for
companies globally.
Kristina Narvaez is the president and owner of ERM Strategies, LLC (www.erm-
strategies.com), which offers ERM research and training to organizations on vari-
ous ERM-related topics. She graduated from the University of Utah in environmen-
tal risk management and then received her MBA from Westminster College. She
is a two-time Spencer Education Foundation Graduate Scholar from the Risk and
Insurance Management Society and has published more than 25 articles relating
to enterprise risk management and board risk governance. She has given many
presentations to various risk management associations on topics of ERM. She is
an adjunct professor at Brigham Young University, teaching a business strategy
course for undergraduates.
www.it-ebooks.info

http://www.erm-strategies.com

http://www.erm-strategies.com

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

PART I
Overview and Insights for
Teaching ERM
www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 2
An Innovative Method
to Teaching Enterprise
Risk Management
A Learner-Centered Teaching Approach
DAVID R. LANGE
Distinguished Research and Teaching Professor of Finance, Auburn University
Montgomery
BETTY J. SIMKINS
Williams Companies Chair of Business and Professor of Finance, Oklahoma State
University
Learner-centered teaching (LCT), commonly referred to as “flipping the class-room” (Shibley and Wilson 2012), is an alternative to the traditional teacherlecture (TL). With LCT, students actively participate in the pedagogical pro-
cess and take increased responsibility for learning through constructive reflective
reasoning. Where with TL content is covered, content in LCT is used as a “means
to learning” (Weimer 2002). LCT is ideally suited for content provided in lists,
tables, charts, and exhibits, and particularly so if these are in the form of topic
overviews, flowcharts, or summaries. The case method espouses similar student-
engaged learning processes by promoting critical thinking and analysis, creating
discussion of conflicting issues and requiring a decision (Bean 2011). LCT ampli-
fies and broadens student learning from cases. Hence, the case studies in this book
are ideal for teaching enterprise risk management (ERM) using LCT.
The chapter is presented in three sections. The first section clarifies the concept
of flipping the classroom with LCT, distinguishing LCT from a TL, and why the
growing LCT movement should be joined. The second section considers the
what, Weimer’s (2002) Learner Centered Teaching “Five Key Changes to Practice,” a
definitive paradigm for changing pedagogy to LCT from a TL. A final section, the
appendix, provides examples of how, using content to utilize LCT in an enterprise
risk management (ERM) course at Auburn University Montgomery. The examples
are from Enterprise Risk Management: Today’s Leading Research and Best Practices
for Tomorrow’s Executives (Fraser and Simkins 2010), which opportunely provides
ERM content in the supporting formats. The LCT examples are provided in
19
www.it-ebooks.info

http://www.it-ebooks.info/

20 Implementing Enterprise Risk Management
Exhibit 2.1 TL versus LCT
Bloom (1956)
Anderson and Krathwohl
(2001) Expanded
� Knowledge
� Comprehension
� Application
� Analysis
� Evaluation
� Synthesis
� Remember: Recognize, recall
� Understand: Interpret, explain
� Apply: Calculate, solve
� Analyze: Distinguish, relate
� Evaluate: Critique, test
� Create: Hypothesize, devise
� Memorize, recollect, retain
� Comprehend, realize, apprehend
� Compute, estimate, determine
� Examine, explore, study, associate
� Assess, appraise, review, comment
� Speculate, theorize, postulate, offer,
imagine, assume, suggest
contrast to TL approaches, and include learning notes expanding the how of
examples.
LEARNER-CENTERED TEACHING: THE WHY
Flipping the classroom refers to Bloom’s Cognitive Learning Taxonomy (1956), a
commonly accepted identification of levels of learning (Anderson and Krathwohl
2001; Bean 2011; Shibley and Wilson 2012), and thus an easily identifiable model
with which to distinguish LCT from TL. Exhibit 2.1 has inverted Bloom’s taxon-
omy to illustrate flipping the classroom. In a TL, the teacher normally progresses
through the taxonomy starting with imparting knowledge:
� Knowledge: covering content with PowerPoint presentations, lecturers, and
so on
� Comprehension: offering alternative descriptions and definitions, followed
by a question of “What does this mean in your own words?”
� Application: solving problems step-by-step, demonstrating necessary calcu-
lations, and solving homework problems replicating calculations
� Analysis: comparing and explaining results from different problems
� Evaluation: questioning validity of assumptions, processes, and textbook
sections on weaknesses in the model
� Synthesis: concluding with summaries and overviews
We may recognize the TL approach from our own experience or through class-
room observation of peers.
To further illustrate the levels of learning, Anderson and Krathwohl’s (2001)
revision of Bloom’s taxonomy is included in the center column of Exhibit 2.1.
The third column contains an expanded list of active learning for additional
clarification.
Learner-Centered Teaching
In LCT, content is used as a means to learning (Weimer 2002). Envision a learning
process in which students compute a financial problem, examine different points
of view, review and comment on an article, or postulate explanations for survey
www.it-ebooks.info

http://www.it-ebooks.info/

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 21
results. The knowledge (content) is discovered and used by the students in the
learning process. Content in LCT is used as a means to learning (Weimer 2002),
not presented and covered as in the context of a TL. In effect, as the examples
will demonstrate, LCT enters Bloom’s Cognitive Learning Taxonomy through the
higher levels of application, analysis, evaluation, and synthesis.
Why LCT?
A primary explanation for education moving toward LCT is based on learning
research that supports “more active, inductive instruction” (Smart, Witt, and Scott
2012). Increased student engagement, strengthened team-based skills, personal-
ized student guidance, focused classroom discussion, and faculty freedom are sev-
eral benefits of the growing LCT pedagogical adoption (Millard 2012). In a review
of pedagogical literature with courses adopting LCT, Wright (2011, p. 96) found
college teachers believe “a more effective learning environment” was provided,
and “students tended to respond positively.” A smaller study by Wohlfarth et al.
(2008) acknowledged the need for further research and offered strong qualitative
student support of LCT’s importance in assisting learning.
There are several other reasons why LCT should be adopted. In a paper apply-
ing 29 components to benchmark the degree of LCT implementation, Blumberg
and Pontiggia (2011) note the importance of LCT in their institutions’ faculty devel-
opment workshops, the implications for assessments and accreditation, and poten-
tial student admission promotional material. Yang (2010, p. 80) offers a globaliza-
tion justification to adopt LCT, the need to “encourage students to actively partici-
pate in the discussion, and the need for students to fully express their views,” even
if it is counter to student cultural behavior.
Poor teaching experience with the TL is another supporting reason for LCT.
The prepared TL covering knowledge, with students attempting to retain and
simultaneously comprehend key points, may appear more as a sermon, speech,
homily, or oration. Instructors, from their own experience or through classroom
observation of peers, may relate to the “picture of somewhat lifeless students sit-
ting passively in classrooms, with glazed eyes, some struggling to stay awake in
dimmed classrooms as an instructor shared key concepts . . . using slides” (Smart,
Witt, and Scott 2012, p. 393).
The educational goal is to engage students to become active versus passive
learners by promoting critical thinking and “emphasizing inquiry” (Bean 2011, p.
38). LCT’s flipped classrooms focus on critique, assess, hypothesize, and speculate, the
higher levels of Bloom’s Cognitive Learning Taxonomy. The base levels of knowl-
edge and understanding may be assigned before class (Shibley and Wilson 2012).
FIVE KEY CHANGES TO PRACTICE THE WHAT
Weimer’s Learner Centered Teaching (2002) “Five Key Changes to Practice” is a
definitive paradigm for changing pedagogy to LCT. This section describes each
of these “Five Key Changes to Practice,” which are:
1. The Balance of Power
2. The Function of Content
www.it-ebooks.info

http://www.it-ebooks.info/

22 Implementing Enterprise Risk Management
3. The Role of the Teacher
4. The Responsibility for Learning
5. Evaluation Purpose and Process
Consideration of the five steps with each of the LCT ERM examples paradoxi-
cally resembles the TL approach. Therefore, instructors are encouraged to appraise
their current pedagogy and associate the respective LCT changes to practice with
their course. To assist your movement to LCT, Weimer’s (2002) Part Two, “Imple-
menting the Learner-Centered Approach,” includes discussions of responding to
resistance from students and faculty, taking a developmental approach in convert-
ing students from passive to active learners, and making LCT work based on prin-
ciples of successful instructional improvement. Appendixes in Weimer (2002) offer
suggestions for the syllabus and learning log (Appendix A), handouts for devel-
oping learning skills (B), and a recommended reading list (C). Blumberg (2009)
provides an extensive step-by-step guide to adopting LCT.
The Balance of Power
The LCT classroom is more democratic than the TL, where sequencing, con-
tent, and information flow are one-way: professor to student. With LCT, stu-
dents actively participate in the learning process and are likely to alter its direc-
tion by connecting to prior tangential or experiential knowledge. Generally, the
teacher retains the responsibility for selecting the course content, learning goals,
and itinerary, though even these may include student input. Regardless, with LCT,
the learning path taken, the direction of course discussion, and practical exam-
ples are at the very least influenced, and more likely chosen, by the student; thus
“power is shared” (Weimer 2002).
LCT often includes case studies, small group discussions or assignments,
and/or designating a student to be a group discussion leader on a rotating basis.
Power sharing is not easy for teachers accustomed to a TL approach. But LCT
power sharing has several benefits. Students are more active, engaged, interested,
and motivated, and less passive and disconnected (Weimer 2002, p. 31). It is easier
for a student to hide in a class of 30, 50, or 100 than in a group of five students.
It should be noted that the student discussion leader is equally asked to “share
the power,” and there are potential “tough spots for running a risk management
workshop”—nonparticipation and dominators (Fraser and Simkins 2010, p. 169).
The Function of Content
With LCT, content is used in the learning process, not covered in the context of
the TL. This does not infer that the content, base knowledge, is not covered. It sim-
ply means that students do not first memorize the base knowledge for later recall.
Instead, students constructively examine, explore, review, and assess content. It is
extremely interesting to see students strongly arguing for the most important step
in an ERM process even when there may not actually be a hierarchy. Creating and
defending an argument for the most important step, what risk stands out, or what
is the most challenging step requires a cognitive reasoning process and a subtle
incorporation of base knowledge and linkage to previously learned material—the
www.it-ebooks.info

http://www.it-ebooks.info/

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 23
LCT version of content coverage. With LCT, the content learning process “develops
learning skills” and “promotes self-awareness of learning,” and students “experi-
ence it firsthand” (Weimer 2002, p. 51–52).
The amount of content covered is a possible concern for those more inclined
toward a TL. However, contrary to expectations, experience suggests that more
content is covered, not less, as students explore and assess content versus
memorization.
As shown in the Appendix, Example #10, Chapter 18: “Managing Financial
Risk,” is a good illustration of more coverage. The TL approach gives an example
of the trade-offs, costs, and benefits of hedging with futures contracts, often start-
ing with a simple natural hedge. Here, the student records the respective payoffs to
long and short positions when prices change. Students memorize the transactions
and expect to replicate the steps with different numbers, and maybe even a dif-
ferent futures contract for a challenging TL course. With LCT, students first view
a short video about futures markets (www.cmegroup.com/), and then review the
listing of available futures contracts, selected quotes, and specifications. LCT sce-
narios in which futures contracts could be applied quite often begin with weather
futures, as students’ curiosity is awakened when they imagine rain, snow, and tor-
nadoes, not the TL farmer and cereal producer with corn futures. With LCT, stu-
dents first suggest, appraise, and associate scenarios with futures contracts, and
then calculate payoffs given the contract specifications. As noted previously, the
LCT teacher needs to be prepared to assist with any futures calculation.
A second example in the Appendix of expanded content is Example #13,
Chapter 23: “Academic Research on Enterprise Risk Management.” In a TL course,
students would memorize the articles and the findings of each, with the goal of
restating the findings on an exam. With LCT, critiquing, appraising, and theorizing
often lead to discussions of hypotheses. For example, why is there an expected rela-
tionship between ERM and “organizational slack” or “asset opacity” (Fraser and
Simkins 2010, p. 426)? This level of hypothetical discussion is considerably beyond
“Who found what?”
The Role of the Teacher
Perhaps the most difficult change in moving to LCT for a teacher accustomed to
the TL is that lectures are replaced with individual student learning, small group
discussions, or other group activities. The teacher’s role is that of a moderator, tour
guide, and/or facilitator of learning. This role is a necessary part of LCT, not an
option; the teacher “must move aside, often and regularly” (Weimer 2002, p. 74).
Serving as guide extends to after groups (or individuals) report their sugges-
tions, hypotheses, comments, explorations, or computations. It is very tempting to return
to the TL, the “sage on the stage,” with corrections, conclusions, or examples. A
moderator or facilitator would ask: Was your group in agreement? What issues
did you differ on? What do you believe is the lesson here, the point to be learned?
Does anyone else have a different solution or computation?
Granted, the teacher’s workload may be more, not less. We often prepare,
or receive with the textbook, a series of very structured lecture slides, “talking
PowerPoints,” demonstrating what and how much we know about the topic.
Our thorough, insightful, wise lecture is interrupted only by the proverbial
www.it-ebooks.info

http://www.cmegroup.com/

http://www.it-ebooks.info/

24 Implementing Enterprise Risk Management
unanswered inquiries of: Does anyone have any questions? Is this clear? Do you
understand?
It is quite another task to be able to guide constructive explorative reasoning
and learning. It is not that LCT is without structure; it is that the LCT learning struc-
ture is flexible, fluctuating, adjustable, and often unpredictable. Weimer (2002, pp.
83–91) offers the following seven principles:
1. Teachers do learning tasks less.
2. Teachers do less telling; students do more discovering.
3. Teachers do more design work.
4. Faculty do more modeling.
5. Faculty do more to get students learning from and with each other.
6. Faculty work to create climates for learning.
7. Faculty do more with feedback.
The “Useful Facilitation Tips” for running a risk management workshop
(Fraser and Simkins 2010, p. 169) may serve a dual purpose as student content
and LCT advice:
� Inquire. Ask open-ended questions, such as “Why?” Ask participants to
speak not just on behalf of themselves but about what they think others
might be thinking. Ask for the contrary view: “What are some of the argu-
ments against this?” Ask for evidence: “How do you know?”
� Restate. Summarize or paraphrase what you have just heard. Summarize the
key points and then ask someone to add to them or comment on them or
contradict them.
� Provoke. State extreme views that you might have heard or imagined on the
subject under discussion. Encourage healthy debate.
� Use silence. After asking a question that gets no immediate response, it is
extremely tempting to fill the silence by talking more or restating the ques-
tion. Don’t. Wait through the silence. If you wait long enough, someone will
speak.
� Get out of the way. If a good animated discussion starts to happen that is
directly on topic and there is available time, try to “blend in with the fur-
niture.” Walk to the side of the room or sit down. Let the students run with
it. Wait for the discussion to peter out or drift off topic before again making
your presence felt.
� Don’t overexplain. The authors’ experience is that the more participation
(and less explanation or lecturing) there is in a workshop agenda, the more
engaged the participants will be. Avoid lengthy descriptions of the steps to
be taken or the underlying theory. Tell them the bare bones of what they
need to do for the next step in the process, and then let them learn by doing.
The Responsibility for Learning
Teachers remain responsible for creating a learning environment, but students
take responsibility for learning (Weimer 2002). Many of the example questions,
exercises, and activities provided in the appendix were created by students in the
www.it-ebooks.info

http://www.it-ebooks.info/

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 25
ERM course. Students on a rotating basis provide discussion questions and serve
as small group moderators. Student small group moderators are encouraged to
have every student engage in the discussion process, limiting individual students
who may try to dominate, and motivating timid students. Engaged students accept
the linkage between their actions and learning. Misbehavior is better corrected by
peers who see that learning is being prevented than by teacher retribution.
Students are also responsible for contributing to course content, further engag-
ing their interest and ownership of the responsibility for learning. For example, in
the Appendix, the tornado incident at the truck yard in LCT Example #6, Chapter
13: “Quantitative Risk Assessment in ERM,” was found by a student. The student
was delighted to share the discovered risk example, as other students accepted a
challenge to find additional videos of the incident or similar catastrophic events.
The whistle-blowing websites and information in LCT Example #12, Chapter 20:
“Legal Risk Post-SOX and the Subprime Fiasco,” were also found by students. The
content served as a basis for spirited group discussions on whistle-blowing. Con-
sider the benefit of 30 students searching and exploring the web for current content
versus the teacher presenting a few selected sites in a TL. Avoid the classic student
statement, “That seems like a good example, but I cannot quite relate to it. It was
before I was born.”
Evaluation Purpose and Process
It reasonably follows that LCT also results in a change in evaluation procedures,
essentially orienting the evaluation process to promote learning. LCT does not
reduce the importance of evaluations and the structural value of course grades.
LCT does alter the focus of evaluations to learning, as grades do not necessarily
reflect the desired higher-level learning, especially if exams only measure recall
and rote memorization of base knowledge.
It is not a straightforward change for evaluations to emphasize learning.
Accordingly, Weimer (2002) considers the opportunities in greater detail:
� As a foundation to reduce the stakes and stress of the exam, provide review
sessions, make sure exams reflect covered content, offer multiple opportu-
nities, or have exams taken as a group.
� For papers, suggest appropriate paper topics, and clearly state academic cov-
erage expectations.
� Develop participation through both self and peer assessment.
� Utilize review sessions at the end of classes and prior to exams as learning
exercises, allowing groups to summarize important content and topics that
are expected to be on the exam.
� Avoid returning to the TL in the review, however tempting and accidentally
reverted to it may be.
� Continue LCT into the postexam review by encouraging students to sup-
port answers they argue are correct, citing content or their reasoning pro-
cess. How often, when a student states that answer C seems to be correct,
we respond with “Sorry, B is the only correct answer.” Imagine the different
response of “Why do you think C is correct?” Place the emphasis on learning,
and we may sometimes discover that answer C may also be correct.
www.it-ebooks.info

http://www.it-ebooks.info/

26 Implementing Enterprise Risk Management
CONCLUSION
Overall, movement toward LCT may not be as large a pedagogical change as one
may be concerned about, and case study teaching is a type of LCT. The goals of the
TL generally rely on Bloom’s (1956) original taxonomy or Anderson and Krath-
wohl’s (2001) meta cognitive revision—striving for evaluation and synthesis. Pro-
grams to improve critical thinking and active learning through writing (Bean 2011)
also cite Bloom’s taxonomy. So the TL and LCT approaches both have the desired
educational cognitive learning theory goals of evaluation and synthesis.
Top-down instruction and hands-on methods of learning have been around
for some time, emphasizing why, what, and then how. This pedagogy has included
preparing students for learning, activating relevant knowledge, gaining students’
attention, aids to understanding, promoting meaningful processing, and direct-
ing and maintaining attention (Steinberg 1991). In essence, when evaluation and
synthesis are achieved, students know the why and the what, which leads to how.
Knowing only how, including knowledge, comprehension, and application, does
not necessarily lead to evaluation and synthesis.
If we want to increase student engagement, strengthen team skills, and use
content for learning rather than covering content for recall, LCT offers pedagogical
advantages over the TL.
We want students to examine, explore, study, associate, assess, appraise, review,
comment, speculate, theorize, postulate, offer, imagine, assume, suggest, and hypothesize.
Observing student success is extremely rewarding and encouraging, good reasons
to create a learner-centered environment versus a teacher-dominated lecture.
QUESTIONS
1. Which of Maryellen Weimer’s classic Learner Centered Teaching (2002), “Five Key Changes
to Practice” do you feel is the most important and/or challenging? Why?
(a) The Balance of Power
(b) The Function of Content
(c) The Role of the Teacher
(d) The Responsibility for Learning
(e) Evaluation Purpose and Process
2. Given the importance of globalization, how would you approach adopting LCT even if
it is counter to your student’s cultural behavior?
3. What techniques and/or guidelines do you envision to change your role as a teacher, to
“step out of the way” of learning and serve as a moderator, not a “sage on the stage” or
lecturer?
4. How do you plan to introduce and orient your students to LCT? Do you have specific
concerns about student response and their acceptance of responsibility for learning?
APPENDIX: LCT ERM EXAMPLES FROM THE HOW
This appendix provides several LCT examples along with the related TL alterna-
tives for an ERM course that has been conducted at Auburn University Mont-
gomery (Alabama) since 2010. All examples and page number references apply
to Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomor-
row’s Executives, co-edited by John Fraser and Betty J. Simkins (2010). Learning
www.it-ebooks.info

http://www.it-ebooks.info/

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 27
notes (LN) include pedagogical suggestions and course experiences. The follow-
ing LCT examples are generally small group discussions, but LCT often includes
reading assignments or problems that may be done prior to the actual class meeting
(Shibley and Wilson 2012). In each example, TL begins with the traditional teacher
lecture on the topic (such as using PowerPoint slides to speak to the students and
cover the material, etc.). LCT starts with the students.
While reviewing the examples, imagine the possible implications of Weimer’s
(2002) “Five Key Changes to Practice” described in this chapter where the process
has been flipped. Most importantly, notice how content is covered but not in a tra-
ditional lecture context where the teacher presents the information. Rather, content
is used as a means of learning. Additional examples of LCT for business communi-
cation courses are contained in Smart, Witt, and Scott (2012). Wright (2011) offers
an insightful pedagogical literature review of Weimer’s “Five Key Changes to
Practice.”
Example #1. Chapter 2: A Brief History of Risk Management
TL: Risk management “spans the millennia of human history” (page 19).
Cover the list of significant milestones in a series of PowerPoint slides and
explain the contribution of each to the development of ERM.
LCT: Review the List of Contributions (pages 22–27) and suggest the three most
significant milestones in the development of ERM.
Comment on why your group chose these milestones.
Was the group generally in agreement? If not, what were the other selected
milestones?
LN: Groups generally differ on the top three milestones, usually based on dif-
ferent themes: economic events, creation of professional organizations,
contributions and development of risk management theory, or possibly
legislative actions.
The list of significant milestones small group exercise provides an early
and substantial insight into LCT. Rather than memorize, recall, and explain,
the students are asked to review, suggest, and comment—all higher levels
of Bloom’s Cognitive Learning Taxonomy. It is most rewarding to see stu-
dents argue about the top three, supporting their choices by associating
or assessing the impact of milestones on the development of risk manage-
ment. There may not even be a top three, and even if there is, the teacher
has a postgroup selection opportunity to guide the discussion or note the
differences in theme the groups selected.
Example #2. Chapter 3: ERM and Its Role in Strategic Planning
and Strategy Execution
TL: Cover the List of 11 Tenets of the Return-Driven Framework (pages 37–38).
LCT: Appraise the list of risk categories for the greatest risk (pages 41–42).
� Shareholder value risk
� Financial reporting risk
� Governance risk
www.it-ebooks.info

http://www.it-ebooks.info/

28 Implementing Enterprise Risk Management
� Customer and market risk
� Operations risk
� Innovation risk
� Brand risk
� Partnering risk
� Supply chain risk
� Employee engagement risk
� Research and development (R&D) risk
� Communication risk
LN: The textbook presentation states that “the framework encourages think-
ing about these risk categories” (page 41). With LCT, students should be
encouraged to do so, and in the learning process incorporate the 11 tenets.
TL: A “genuine asset” is . . . (page 38).
LCT: Create a list of “genuine assets” for a company of your choice.
LN: A simple create exercise includes recognize, apprehend, and determine. The
teacher may facilitate clarifications and corrections by guiding subsequent
classroom discussion in examining, critiquing, and exploring the different
lists of “genuine assets.”
Example #3. Chapter 5: Becoming the Lamp Bearer—The
Emerging Roles of the Chief Risk Officer
TL: The chief risk officer has four major roles: (1) compliance champion, (2)
modeling expert, (3) strategic controller, and (4) strategic adviser. In the
first role . . . (pages 75–81).
LCT: Reviewing Exhibit 5.1 (page 80), distinguish the roles of strategic controller
and adviser.
Postulate which role of the chief risk officer is the most important.
LN: Postulating requires memorization, comprehension, distinguishing, and
appraisal.
Example #4. Chapter 8: Identifying and Communicating Key
Risk Indicators
TL: Key risk indicators are an ERM tool that . . . (page 129).
LCT: Distinguish key risk indicators from key performance indicators.
Suggest the key risk indicator practical applications that are most impor-
tant to achieve the organizational strategy of the company you work for, a
company chosen by your group, or the university.
LN: The facilitator role is often needed on this topic, as key risk indicators may
be confused with or closely aligned with key performance indicators.
Example #5. Chapter 11: How to Prepare a Risk Profile
TL: The Risk Map is a graphic representation of a Risk Profile and in this case
contains eight risks (page 173). The first risk is . . .
www.it-ebooks.info

http://www.it-ebooks.info/

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 29
There are eight steps to create a Risk Profile (pages 177–186).
Step 1: Schedule interviews and gather background information.
Step 2: Prepare the interview tools.
Step 3: Summarize the interview findings.
Step 4: Summarize the risk ratings and trends.
Step 5: Draft the Top 10 Risk Profile.
Step 6: Review the Draft Risk Profile.
Step 7: Communicate the Risk Profile with the board or a board
committee.
Step 8: Track the results.
LCT: Appraise the benefit of a Risk Profile and Risk Map.
Suggest which step is the most challenging in preparing a Risk Profile.
Comment on why your group selected this step.
Create a Top 10 Risk Profile for the company you work for, your university,
or your school.
Example #6. Chapter 13: Quantitative Risk Assessment in ERM
TL: This chapter discusses risk assessment and risk quantification . . . (page
219).
LCT: Explore information related to the Schneider Truck Yard Tornado Damage
in Dallas, Texas, on April 3, 2012. This results in a large number of videos
and news stories.
Assess where this event would be placed in a Risk Map. Comment on how
the event may be viewed in a statistical analysis. Now speculate on your
reaction if you have just received a phone call stating, “All of the trailers
and tractors in your Dallas Hub have been destroyed.”
See Exhibit 13.3 of Fraser and Simkins (2010, p. 224).
LN: The video of tractor trailers flying through the air is striking. This is a
learning opportunity to consider the ERM of “tail events” and “known
unknowns.”
Example #7. Chapter 14: Market Risk Management/Credit
Risk Management
TL: Looking at the Taxonomy of Market Risk and Credit Risk (page 240):
The first market risk is . . . . The next one is . . . . The third one is . . . .
The first credit risk is . . . . The next one is . . . . The third one is . . . .
LCT: Distinguish between market risk and credit risk.
Reviewing the different types of risk, assess which risk is most striking and
noteworthy. Comment on why your group chose this risk.
Example #8. Chapter 16: Operational Risk Management
TL: This chapter illustrates the answers to fundamental questions, including
(page 280):
� What is operational risk? Why should you care about it?
� Is risk all bad?
www.it-ebooks.info

http://www.it-ebooks.info/

30 Implementing Enterprise Risk Management
� How do you assess operational risks, particularly in a dynamic business
environment?
� Why do you need to define risk tolerance for aligned decision making?
� What can you do to manage operational risk?
� How do you encourage a culture of risk management at the operational
level?
� How do you align operational risk management with enterprise risk
management?
First, let’s answer the question of “What is operational risk?”
LCT: Using Exhibit 16.2, The Bow Tie Model (page 291), provide an analysis of a
current news event. This is reprinted as Exhibit 2.2 in this chapter.
LN: The current news event may be any risk event, from explosions to traffic
wrecks, bankruptcies to product recalls, flood damage to tornado damage,
information leaks to software failures. The analysis answers the questions,
and the content is used as a means to learning.
TL: “The 5 Whys is a question-asking method that can be used to explore the
cause-and-effect relationships underlying a particular risk event or prob-
lem” (page 294).
LCT: Continue your current news event analysis by exploring with at least five
whys.
LN: There are always current risk events in the news, most of which can be
searched for, often including videos. As an example, a recent class chose
a wreck between a church bus and a truck on an expressway. At first, it
appeared that the group’s risk event selection was a direct adoption of the
textbook example—a fatal accident (page 294).
However, the student-engaged whys expanded quickly, as follows:
Why did the wreck occur? Bus crossed median of expressway after tire
blew out.
Why did the tire blow out? Poor bus maintenance, bad tire, debris on
roadway.
Why was there poor bus maintenance? Expenses limited by budget.
Why was the driver not able to control the bus? Young, inexperienced
volunteer.
Why was the driver an inexperienced volunteer? Previous older, experi-
enced driver quit driving given his age. Newer driver only needs to pass
commercial driver’s license (CDL) exam and drives no more than twice per
week, rarely on the expressway.
Why did the bus cross the median? No safety barrier in place.
Why was there no safety barrier in place? State had added several
hundred miles of wire or concrete median barrier, but this section of
expressway had lower priority based on wreck history. Why wasn’t
topology and shallow median considered? Engineering expertise more
expensive.
Why were individuals seriously injured? Lack of personal restraints.
Why were there no personal restraints? Not required, expensive
option.
Why are personal costs not given greater weight in budgeting?
www.it-ebooks.info

http://www.it-ebooks.info/

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 31
Outcome Values
Negative Outcomes Positive Outcomes
O
u
tc
o
m
e
Li
ke
lih
o
o
d
H
ig
h
P
ro
ba
bi
lit
y
Lo
w
P
ro
ba
bi
lit
y
Exhibit 2.2 The Bow Tie Model
Example #9. Chapter 17: Types of Risk
TL: “Distinguishing between beta and alpha risk can be difficult” (page 304).
Beta risk is . . . . Alpha risk is . . . .
LCT: Reviewing Exhibit 17.1, Value Implications of Risk Appetite Change, distin-
guish between beta and alpha risk. This is reprinted as Exhibit 2.3 in this
chapter.
LN: Distinguishing requires recognizing, comprehending, and determining. Defini-
tion recall does not. Difficult material may necessitate additional teacher
facilitation and at the same time offer another student learning opportu-
nity for discovery.
Example #10. Chapter 18: Managing Financial Risk
TL: Cover Exhibit 18.1, Examples of Contracts Traded on Major U.S. Futures
Exchanges (page 322).
Cover cases on currency risk, interest rate risk, and commodity price risk
(page 323–325).
Identify financial question of “Does Hedging Affect Firm Value?”
(page 327).
LCT: Explore the available futures contracts on www.cmegroup.com:
� Agriculture
� Energy
� Equity index
� Foreign exchange (FX)
� Interest rates
� Metals
� Options
www.it-ebooks.info

http://www.cmegroup.com

http://www.it-ebooks.info/

32 Implementing Enterprise Risk Management
Capital requirement
Alpha (value creation)
D C
A B
Beta
Zeta (value loss)
Risk
Return
Efficient frontier
for business portfolio
A = Current position
B = Value destruction—uncompensated risk
C = Target position—no value change
D = True value creation
Exhibit 2.3 Value Implications of Risk Appetite Changes
� Over-the-counter (OTC) market
� Real estate
� Weather
Select a specific futures contract of interest to your group under Products &
Trading, Products (for example, EUR/USD under FX).
Review the quotes and the contract specifications for your selected futures
contract.
Suggest a scenario where your selected futures contract could be applied.
Critique the financial issue of “Does Hedging Affect Firm Value?”
LN: Students are engaged by explore, review, suggest, and apply versus covering
three examples they have already read. Note that the teacher may need to
facilitate the estimation of the selected futures contract’s payoff, which may
be any of those available, not just the three prepared text examples. Every
class to date has had at least one group select a weather futures contract.
Content is used in the learning process.
Example #11. Chapter 19: Bank Capital Regulation and
Enterprise Risk Management
TL: Economic capital is . . .
Cover Exhibit 19.4 (page 344). This is reprinted as Exhibit 2.4 in this chapter.
LCT: Distinguish minimum capital requirements from economic capital.
Assess the impact of a “black swan” event on the expected loss and confi-
dence level.
Appraise the effect of Asset Price Liquidity under a Panic, Exhibit 17.6
(page 312), on the expected loss.
Offer an economic outcome scenario that includes the black swan event and
panic.
LN: This obviously refers to the subprime crisis (pages 89–90, 346, 351, 360–
361), economic crisis (page 32), and Troubled Asset Relief Program (TARP)
www.it-ebooks.info

http://www.it-ebooks.info/

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 33
Expected Loss
Fr
eq
ue
nc
y
of
L
os
s
Confidence Level
Economic Capital
Amount of Loss (increasing to the right)
Exhibit 2.4 Economic Capital
Source: Robert L. Burns, “Economic Capital and the Assessment of Capital Adequacy,” Supervisory
Insights, Federal Deposit Insurance Corporation, Winter 2004.
(pages 11 and 303), along with related topics discussed elsewhere. The
intent is to not repeat (cover) the knowledge, but rather to build on
(use) the knowledge the students are likely to have already seen, if not
experienced.
Example #12. Chapter 20: Legal Risk Post-SOX and the
Subprime Fiasco
TL: Whistle-blower protection is . . . (pages 357–358, 363).
LCT: Assume you find yourself in a position to be a whistle-blower.
Speculate as to the trade-offs involved if you’re the whistle-blower.
LN: Google “whistle-blowers SOX.” In other areas of ERM, students, especially
working MBAs, may be able to provide examples of loss experiences, miti-
gation efforts, and risk management. To avoid overly personal discussion,
whistle-blowing may be better approached by referring to publicly avail-
able information and examples.
Discussion of successful and unsuccessful whistle-blowing protection
under SOX is very enlightening and productive, while avoiding overly per-
sonal disclosure.
Example #13. Chapter 23: Academic Research on Enterprise
Risk Management
TL: The first article is . . . ; it found . . . (pages 422–438).
LCT: Critique the article(s) your group was assigned.
Appraise the article(s) and survey findings.
Theorize about one or more of the findings.
www.it-ebooks.info

http://www.it-ebooks.info/

34 Implementing Enterprise Risk Management
LN: Reading the findings of the academic research is a recall, memorization, and
possible comprehension learning activity. Creating a hypothesis or theory as
to why growing firms, for example, are more likely to appoint a CRO
(page 427) leads to an inductive learning discussion.
Example #14. Chapter 10: How to Plan and Run a Risk
Management Workshop; Chapter 22: Who Reads What
Most Often?
TL: Cover respective chapters without any link.
LCT: Review the findings on the use of consultants in Chapter 22 (page 394).
Imagine your group is an ERM consulting firm. Suggest techniques,
approaches, and tools that could be used to respond to the survey results
in Chapter 22.
LN: This is an example of one of many instances where topic coverage can be
linked to further group discussion.
REFERENCES
Anderson, Lorin W., and David R. Krathwohl, eds. 2001. A Taxonomy for Learning, Teach-
ing, and Assessing—A Revision of Bloom’s Taxonomy of Educational Objectives. New York:
Longman Press.
Bean, John C. 2011. Engaging Ideas: The Professor’s Guide to Integrating Writing, Critical Think-
ing and Active Learning in the Classroom. 2nd ed. San Francisco: Jossey-Bass, A Wiley
Imprint.
Bloom, Benjamin S. 1956. Taxonomy of Educational Objectives: The Classification of Educational
Goals. New York: David McKay.
Blumberg, Phyllis. 2009. Developing Learner-Centered Teaching: A Practical Guide for Faculty.
San Francisco: Jossey-Bass, A Wiley Imprint.
Blumberg, Phyllis, and Laura Pontiggia. 2011. “Benchmarking the Degree of Implementa-
tion of Learner-Centered Teaching Approaches.” Innovative Higher Education 36 (Novem-
ber), 189–202.
Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading
Research and Best Practices for Tomorrow’s Executives. Robert W. Kolb Series in Finance.
Hoboken, NJ: John Wiley & Sons.
Millard, Elizabeth. 2012. “5 Reasons FLIPPED Classrooms Work.” University Business 15:11
(December), 26–29.
Shibley, Ivan A., Jr., and Timothy D. Wilson. 2012. “The Flipped Classroom: Rethinking the
Way You Teach.” Magna Online Seminars, Magna Publications, August 23.
Smart, Karl L., ChristineWitt, and James P. Scott. 2012. “Toward Learner-Centered Teaching:
An Inductive Approach.” Business Communication Quarterly 75:4, 392–403.
Steinberg, Esther R. 1991. Computer-Assisted Instruction: A Synthesis of Theory, Practice and
Technology. Hillsdale, NJ: Lawrence Erlbaum Associates.
Weimer, Maryellen. 2002. Learner Centered Teaching. San Francisco: Jossey-Bass, A Wiley
Imprint.
Wohlfarth, DeDe, with Graduate Students Daniel Sheras, Jessica L. Bennett, Bethany Simon,
Jody H. Pimental, and Laura E. Gabel. 2008. “Student Perceptions of Learner-Centered
Teaching.” Insight: A Journal of Scholarly Teaching 3, 67–74.
www.it-ebooks.info

http://www.it-ebooks.info/

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 35
Wright, Gloria Brown. 2011. “Student-Centered Learning in Higher Education.”
International Journal of Teaching and Learning in Higher Education 23:3, 92–97,
www.isetl.org/ijtlhe/.
Yang, Xiaomei. 2010. “The Globalization and Localization of ‘Learner-Centered’ Strategy
for an International Horizon.” Asian Social Science 6:9, 78–81.
ABOUT THE CONTRIBUTORS
David R. Lange, DBA (University of Kentucky), is an Auburn University Mont-
gomery (AUM) Distinguished Research and Teaching Professor of Finance. He has
received many prestigious awards for both research and teaching from the Univer-
sity and from several academic associations. In 2012, he received the Academy of
Economics and Finance (AEF) Fellow Award in recognition of extraordinary con-
tributions and achievements to the AEF’s mission of advancing teaching, research,
and service. David was the Lowder-Weil Professor and Chair of the Applied Life
Insurance Education and Research Program, and a frequent presenter in the AEF
Teacher Training Program. He has taught classes in commercial risk management
and insurance, enterprise risk management, financial valuation, and investments
and portfolio management. He has also consulted in a significant number of indi-
vidual and class insurance-related cases in both state and federal court. Profes-
sionally, David has served as the Eastern Finance Association executive director
and VP-finance, as well as program chair and president for both the Academy of
Financial Services and the Academy of Economics and Finance.
Betty J. Simkins, PhD, is Williams Companies Chair of Business and Professor of
Finance at Oklahoma State University. Betty received her PhD from Case Western
Reserve University. She has had more than 50 publications in academic finance
journals. She has won awards for her teaching, research, and outreach, including
the top awards at Oklahoma State University: the Regents Distinguished Research
Award and the Outreach Excellence Award. Her primary areas of research are risk
management, energy finance, and corporate governance. She serves on the edito-
rial boards of nine academic journals, including the Journal of Banking and Finance;
is past co-editor of the Journal of Applied Finance; and is past president of the Eastern
Finance Association. She also serves on the Executive Advisory Committee of the
Conference Board of Canada’s Strategic Risk Council. In addition to this book, she
has published two others: Energy Finance and Economics: Analysis and Valuation, Risk
Management and the Future of Energy and Enterprise Risk Management: Today’s Lead-
ing Research and Best Practices for Tomorrow’s Executives. Prior to entering academia,
she worked in the corporate world for ConocoPhillips and Williams Companies.
She conducts executive education courses for companies globally.
www.it-ebooks.info

http://www.isetl.org/ijtlhe/

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

PART II
ERM Implementation at
Leading Organizations
www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 3
ERM at Mars, Incorporated
ERM for Strategy and Operations
LARRY WARNER
President, Warner Risk Group
This case study outlines the development of Mars, Incorporated’s EnterpriseRisk Management (ERM) program, from its initial phases in early 2003through the spring of 2012. The views expressed in this case study are those
of the author, and may not be those of Mars, Incorporated (Mars). Additionally, as
with any ERM program, Mars’ program has continued to evolve since 2012.
Throughout this case study, I have used first names for a number of key indi-
viduals who contributed to the success of program. (Please note all names have
been changed.) In speaking with other ERM practitioners, such early adopters of
an ERM program typically help contribute to an ERM program’s development,
evolution, and success. In this case study they helped spread and embed the pro-
cess in their business units and in other units as they took on new roles. Most of the
major improvements in the evolution of this program resulted from working with
these individuals to address the needs of their business units. By identifying these
players’ involvement in the early stages of the program and their subsequent roles,
the case study reader should gain an understanding of the importance of and the
need to cultivate relationships with these early adopters.
MARS’ ERM HISTORY
In essence, Mars’ ERM program began with the company’s inception by Forrest
Mars.1 Historically, the leadership at Mars had a serious commitment to risk man-
agement. ERM represented one natural evolution from these practices.
In conjunction with the transition to nonfamily management in the early 2000s,
the corporation established challenging growth, earnings, and cost targets. In order
to achieve these objectives, the company undertook a number of key initiatives to
ensure the achievement of these objectives. ERM became one of these.
In 2002, Roger, the CFO at the time, and I sat down and discussed how an ERM
program might help better manage the business. We recognized that we lacked the
experience to implement such a program on our own, and asked two of our existing
service providers with ERM practices to make proposals as to how they might
39
www.it-ebooks.info

http://www.it-ebooks.info/

40 Implementing Enterprise Risk Management
assist us in this project. As Roger put it, “We need someone to transfer knowledge
to Larry.”
One vendor pushed for a Committee of Sponsoring Organizations (COSO)
structure. The other suggested we develop a program that leveraged Mars’ unique
strengths. As a large, privately held, decentralized company, we agreed that the
latter better met our needs.
At this point, we decided that we wanted to develop ERM and not what one
might call an “enterprise compliance management” (ECM) program. This repre-
sented a critical decision in Mars’ ERM development.
To kick things off, we took a risk management survey of the 15 or so managers
on Mars’ global management team. We spent a couple of hours personally com-
pleting the survey with David, who was to become the president of Mars at the
beginning of 2003. This was a critical move in the development of the program, as
we gained an understanding of his views on risk management and how we might
develop the ERM program.
Following the survey, we recognized the need to gain an even broader under-
standing of how the associates (Mars does not have employees) in the business
viewed risk. We decided to conduct risk assessment workshops for a function
(Service & Finance), geography (Canada), and product group (European Sugar).
Working with our consultants, we selected a gap analysis methodology. In gap
analysis, you evaluate the inherent risk (impact and likelihood) with limited con-
trols (e.g., buying commodities at spot cost as opposed to with futures contracts)
against management effectiveness.
We had the first workshop with the global finance team during our corporate
meetings in the summer of 2003. The ERM team had a major win during this ses-
sion. At the time, Mars was undertaking a substantial investment. During the ses-
sion, the consensus of the group was that we, Mars, had undertaken a too aggres-
sive time frame to be successful. By the next day, the corporation announced a
change in the rollout of the project.
During the session, the CFOs of Europe and the United States both commented
on how beneficial this workshop had been. This was critical for two reasons. First, it
generated buy-in from additional senior management. Second, the CFO of Europe,
Oscar, would soon be named the new CFO of Mars upon Roger’s retirement.
We began calling discoveries like the one in the global finance team’s work-
shop the “known unknowns,” because many of the participants knew and/or were
concerned about the issue before the meeting; however, it had never risen to such
a level that it was formally brought forward to the group. We developed a sce-
nario that explained such discoveries and how they could help the business. For
example, two management team members have dinner after work. They discuss
an issue that concerns them; however, for some reason this issue does not arise
during team meetings, perhaps because they do not believe they have adequate
expertise to challenge the group’s thinking, or one team member was so passion-
ate about the issue that everyone else deferred. Over the years, we found that these
“known unknowns” frequently held the key to a business’s success. In training
workshop facilitators, we held identifying known unknowns as a major key to suc-
cessful workshops.
In Canada, the general manager asked us to help his team evaluate their newly
finalized strategy and provide an additional day of action planning based on our
www.it-ebooks.info

http://www.it-ebooks.info/

ERM AT MARS, INCORPORATED 41
findings. While the workshop did not turn up any major known unknowns, the
participants felt the process enabled them to evaluate properly the risks with their
strategy and make enhancements that would increase the likelihood of success.
Our final assessment with European Sugar had a major win, as it delayed a
major product launch. The workshop identified key doubts in the potential success
of the new product and its distinct format. The product team was tasked to return
to the next management team meeting to address the issues identified in the risk
assessment.
The participants in all three workshops deemed them successful and provided
senior management with positive feedback. The ERM team also had major learn-
ings. First, the workshops revealed a common risk aversion among most associates.
To enable the company to grow faster, senior management knew that units had to
take on more risk. Based on the initial success of our risk assessments, senior man-
agement felt that ERM would be one tool to enhance growth.
The second major discovery revolved around the workshops themselves. To
determine management effectiveness, we had asked participants to base their
anonymous votes on limited controls (e.g., buying commodities at spot as opposed
to with futures contracts). Universally, we received push-back, as the company had
a control mind-set as one of its basic tenets. As such, the importance of control had
become ingrained within all associates over many years.
Failure and Retrenchment
Based on the success of our three pilot workshops, we received the go-ahead to
develop a full-scale ERM process. In early 2004, we put together a multifunctional,
global team, supported by our consultant, to develop an ERM program. Over the
next five months, we held monthly meetings to rough out a program. Three of the
regional presidents acted as our advisers.
In June we presented our program, including a unit to pilot its implementa-
tion, to the Mars management team. At the end of the presentation, David, Mars’
president, looked at us and stated that this looked like a major software transition,
and we had done that once and were not going through that again. The rest of the
management team agreed. David looked at me and said, “Larry, I know you can
scare people when it comes to risk. I want you to take your team and develop a
process that will generate a risk discussion mentality for the units. I want you to
work with several of our larger units—China, Russia, Australia, and Europe.” He
asked us to begin in China in three weeks and build the process around our annual
operating planning process.
I believe it is important to note here that ERM is an evolutionary process. I
believe that having our first approach rejected ultimately led to our successful
development of a more practical, less complex approach. Looking back, I doubt
that our initial approach would have worked at Mars due to its complexity.
PHASE 2—SUCCESS
There were three components of the proposal that were well received, which
we kept with minor revisions and additions. First, our basic tenets for
www.it-ebooks.info

http://www.it-ebooks.info/

42 Implementing Enterprise Risk Management
development still existed, but we now had better clarity. Senior management
clearly sought:
� A methodology to determine what is actually achievable by business units
in the context of corporate performance objectives
� To improve alignment and accountability around the pursuit and execution
of each business unit’s goals and objectives
� To foster a risk discussion mentality among business unit management
teams
� A mechanism that enables managers to knowledgably and comfortably take
risks in order to achieve growth goals that exceed overall market growth
� A tool to objectively track performance
Our original mission statement remained: “The objective of ERM is to provide
the company with a proven, sustainable framework to proactively understand and
deal with complex business risks, both tangible and intangible, existing and emerg-
ing, across the entire organization.” This statement became the guideline against
which we evaluated the development and evolution of the program.
Senior management also agreed with the major principles for the design of an
ERM process:
� Create value.
� Leverage the company’s unique strengths.
� Work with existing organizational structure.
� View risk as opportunity.
� Encourage alignment and accountability.
While these represented great tenets to develop a program, we basically were
where we had begun six months before, working with a clean slate.
While “create value” seems obvious, we did not know where this would take
us as we began building a new program following our unsuccessful initial attempt.
However, we had better clarity regarding senior management’s view of what was
needed. Understanding and meeting the needs of senior management provided
the keystone for the development of our program.
From the company’s perspective, “unique strengths” meant privately held
and decentralized. Senior management similarly made working within an exist-
ing organizational structure equally straightforward. They wanted the ERM team
to build the ERM process into the annual operating plan without adding any staff.
We were to use regional Service & Finance Staff Officers to assist us.
Based on our findings of risk aversion in our initial workshops, we knew that
viewing risk as an opportunity meant a cultural shift. Finally, we understood that
encouraging alignment and accountability meant a process that enabled unit man-
agement teams to align and agree to the objectives they could legitimately achieve
within the constraints of the risks identified in the ERM process. We found that
these two things went hand in hand. By developing alignment around the risks
to a unit’s operating plan and the optimal risk treatments, the ERM process would
enable business units (BUs) to take on more risk to enhance their opportunities and
capabilities for growth.
www.it-ebooks.info

http://www.it-ebooks.info/

ERM AT MARS, INCORPORATED 43
On the Monday three weeks after our presentation to the management team,
our consultant, his two assistants, and I were blankly looking at each other across a
table in a meeting room in the China office outside of Beijing. We had no idea what
we should do. We decided interviewing everyone on the China management team
might generate some ideas.
Based on the unit’s 2005 operating plan and these interviews, we developed
a template that we thought captured their input. Each sheet reflected an initiative
of the operating plan (e.g., grow Brand X 5 percent in 2005 and deliver operating
plan profit). The template looked quite simple. It had a header for the objective
with a block for a score next to it and two columns underneath—risks on the left
and risk treatments on the right. (We initially used the term mitigation; however,
at an ERM conference, one of the audience members pointed out that mitigation
did not coincide with our stated objectives. Instead risk treatment better reflected
“viewing risk as an opportunity.”) We spent several days filling the templates with
the risk and risk treatments, which the business unit managers had identified with
their 10 key initiatives for 2005.
We provided the templates and additional background in a preread package
to allow the participants to prepare in advance of the workshop.
We started the workshop by having the management team force rank the initia-
tives from 1 to 10 (or the total number of initiatives which they had). We compiled
the results and projected them onto the screen, discussing the differences and/or
alignment among the votes. We then asked them to agree or change the prioriti-
zation, thereby beginning the alignment process. (This became the initial item in
all future workshops.) Understanding the differences in rankings led the partici-
pants to understand others’ views of importance, and in some cases gain a better
understanding of the actual operating plan objectives.
We took the initiative voted as the top priority and began the workshop. We
reviewed the definition of the initiative, and the management team edited and
aligned behind the final definition. We then validated and added risks and then
risk treatments. When we, the facilitators, sensed we had captured the major risks
and risk treatments, we moved to an anonymous vote on the probability of success-
fully achieving the objectives, using a scale of 1 to 9, with 1 representing 10 percent
or less, 2 representing 20 percent, and 9 representing 90 percent or more. Voters
would take into consideration the things they could control, their unit’s capabili-
ties and resources, potential competitor activities, and so on.
When the votes appeared on the screen, we found them generally spread
across a range of 4 to 5 on the scale (e.g., 3, 4, 5, 6, and 7). As facilitators, we led a
discussion as to why someone might vote a 3 and others a 7. We found that hav-
ing the lower-voting participants lay out their reasoning led to better discussions.
The higher-voting team members would attempt to address the concerns raised
by the lower-voting participants. Over time the facilitators could sense alignment
in the room and have the participants take a second anonymous vote. The sec-
ond vote’s results generally aligned around two numbers or were centered on one
number with one or two outliers above and below the center vote.
The first workshop went exceedingly well. We then headed to Australia for
our second workshop. This was a critical test for two reasons. First, one of the
Mars regional presidents, who advised us throughout the initial ERM development
process, participated. Second, our senior consultant had to go back to the United
www.it-ebooks.info

http://www.it-ebooks.info/

44 Implementing Enterprise Risk Management
States, so his two assistants were to help me build and facilitate the workshop—
one as a co-facilitator and the other as the editor of the workshop templates and
operator of the voting technology and workshop. Here again we had a successful
workshop.
Our next workshop took place in Russia. We had several major learnings from
this workshop. First, when you have a very strong and charismatic general man-
ager (GM), it is important for the facilitators to ensure that the entire management
team participates. To this end, we pulled the GM aside and requested that he with-
hold his comments to the end. We would go to him to wrap things up. It became
a common practice for facilitators to ask GMs to “work with us” to ensure that
all team members participated, and to allow the GMs to wrap up with comments
before the final vote. It was a way for facilitators to better control the process and
to make sure the known unknowns became visible.
At one point the GM stopped the session and stated, “This process helps you
focus on what’s important.” This became a mantra of our ERM process.
As Russia had gone through several currency issues in the 10 years the unit had
been in operation, the GM and CFO asked for us to build a template of how it could
effectively handle a currency crisis. We did as requested, and the management
team felt they identified the actions they needed to take in the event of such an
occurrence.
This activity may seem minor, but it highlights two key points that ultimately
contributed to the ERM program’s success. First, business units have unique needs
and frequently need help in maximizing the use of ERM. By ensuring that the pro-
gram had some flexibility, units were more likely to leverage its benefits. Second,
we learned to constantly try new things. Many of our evolutionary improvements
to the process resulted from requests or suggestions from individual units.
Our final workshop in the 2004 pilot took place with a subgroup of the Euro-
pean management team. Known to only a few key members of this team and a
few senior managers at the corporate level, Mars had begun the initial phases of
a major project. The Regional Staff Officer of Service & Finance (S&F) lobbied the
Regional President of Europe to have our new ERM process validate their work.
Here again we tried a new activity with them in the workshop. This enabled them
to identify the low, high, and most likely outcome of their key objectives, based
on an analysis of the risk involved. While this activity was helpful, they advised
us that the template that we had used in the other workshops proved the most
beneficial to them.
Based on the success of this workshop, the Regional President of Europe asked
us to perform three workshops, one in each of the countries that would be partici-
pating in the project.
During the interview process in one of the countries, it became clear to us that
they had not progressed to the point needed to launch their project. We advised
the European management team of this. The general managers of the two units in
this country were not only greatly appreciative but also became two of the biggest
advocates of ERM in each role they subsequently held within the business.
The participants in all three countries found this process better enabled them
to prepare for implementation. They identified critical risks and solutions that
enabled them to successfully achieve their objectives.
Ben, the new Regional S&F Staff Officer from Europe, cofacilitated each of
these workshops with me. (Through this work, Ben became a major supporter of
www.it-ebooks.info

http://www.it-ebooks.info/

ERM AT MARS, INCORPORATED 45
ERM as he progressed to become the CFO of the company’s largest segment.) As
the program developed, several of our earliest participants in the program (facili-
tators and management team members) became our biggest advocates. This acted
to increase the “pull” of the program through the business as opposed to corporate
needing to “push” it through.
GLOBAL ROLLOUT
Based on the feedback from the workshops and the support of the two regional
presidents, the next phase was to move forward with a global rollout of the ERM
program.
For 2005, we targeted 17 units for workshops to assess the risks of their 2006
Operating Plans. China, Australia, Russia, and virtually every general manager
from the seven units in the European project asked to be included in the rollout.
Here again our design principles were reaffirmed. Management believed the
process created value, helped units become less risk averse (view risk as an oppor-
tunity), and encouraged alignment and accountability among the participants. Our
remit to work within the annual operating plan reaffirmed “work within an exist-
ing organizational structure.”
Many companies would find their planning process similar to Mars. Busi-
ness units begin developing their annual plans nine to 12 months before Jan-
uary 1, based on their long-term strategies within the context of the broader seg-
ment and corporate strategies. They receive input from their segment management
teams. Mars has six segments: Chocolate, Drinks, Food, Petcare, Symbioscience,
and Wrigley. Late in the year they present their plan to management. ERM repre-
sents one component of their presentations.
For the rollout, the ERM team developed formalized interview templates.
Although we always interviewed the GM first, the team began to have joint inter-
views with the GM and S&F head (CFO), who acts as the GM’s copilot. We found
that these joint interviews provided much more detail and reduced the number of
other business unit (BU) team members we had to interview. The workshops were
time consuming to build, each taking approximately one person-week, or more for
larger, more complex units. Any time savings proved beneficial, as the team had
very limited resources. It also represented an evolutionary step in our process.
The ERM team entered the process with only three facilitators skilled in our
new process—our consultants (Bill and Greg) and me. As we wanted to internalize
the process, we had to train an adequate number of internal facilitators. Optimally,
two facilitators would run a workshop with one operator, the person responsible
for operating the voting technology, updating the templates as we spoke, and keep-
ing notes.
These ERM workshops require atypical facilitation skills. A facilitator needs a
great deal of knowledge of the business, good facilitation skills, and the ability to
challenge participants. We found over time that some people, recognized as good
facilitators for most activities, proved ineffective in ERM workshops as they lacked
the ability to aggressively challenge the management teams from an operational or
strategic perspective.
Oscar instructed both regional and functional S&F staff officers, who reported
to him, to support us. (Regional S&F staff officers support the Mars CFO in the
region, while functional staff officers oversee specific functions—e.g., Treasury,
www.it-ebooks.info

http://www.it-ebooks.info/

46 Implementing Enterprise Risk Management
Risk, Control, Strategy, etc.) Oscar directed the regional S&F staff to help us sched-
ule the sessions and to act as our cofacilitators in their regions. Several nonregional
S&F staff officers and George, who worked for me, were also to be trained and act
as facilitators. All of these associates had the requisite skill set to be effective in the
ERM workshops. The use of S&F staff officers to assist us reaffirmed both “work
within an existing organizational structure” and “leverage unique strengths.”
We kicked off the rollout the first two weeks of August, conducting workshops
at our three U.S. units—Food, Snackfood, and Petcare. All three were successful
and we identified serious risks or (better said) opportunities for each plan. We
trained George and Elizabeth (the Staff Officer of Strategy) during the Food and
Snackfood workshops.
The votes at U.S. Petcare revealed a lack of alignment around the probability of
success of several key initiatives to their plan. The GM complained that the team
had just spent two weeks, including an off-site planning session, making major
additions and revisions to the plan, but no one had raised the issue, which arose
during the workshop; however, we pointed out that the intent of the ERM process
was to identify these issues prior to the implementation of the operating plan. This
would enable units to address these issues in time to increase the likelihood of
success.
The following week, Elizabeth ran the Mexican workshop, training the
regional staff officer and Jim, her direct report. In the meantime, I went to Asia
for the China, Japan, and three Australian workshops. In Asia, the point of early
supporters played a key role in our success. Mars China had found great value
in our initial workshop and began to use the program as a key component of its
operational and strategic planning process.
The new general manager in Japan had participated in the pilot workshop in
Canada and in the UK project workshop as one of the GMs. He was keen to use
ERM as a tool to help his team reinforce their growth and market position.
In Australia, we began the following week with our Snackfood unit. It was
the first day on the job for the general manager, who was new to Mars. He felt
the workshop proved quite beneficial as not only did he become familiar with his
direct reports, but he gained an understanding of the issues confronting the busi-
ness, which he felt would have otherwise taken months to learn.
In Australia, we had a major learning: We needed a process to ensure follow-
up on issues identified during the workshops. John, the CFO for Australia with
operational responsibility for the petcare unit, noted that in his preparation for
the workshop he reviewed the output from the prior year. The team had actually
identified their major risk for 2005 and the treatments to address this issue. Unfor-
tunately, they had not used the prior year’s solutions, and had not met their targets
for the issue. John became one of the biggest advocates and supporters of ERM as
he moved on to CFO of the Russia unit and then U.S. Chocolate.
REPORTING
Ultimately we conducted 18 unit workshops, one for our quant group, and a cor-
porate one. At the end of the process we reviewed all of the output. We recog-
nized the need for categorizing the differences between the votes to report risk
using a color key for risk profiles (see Exhibit 3.1). In reviewing the voting scores,
www.it-ebooks.info

http://www.it-ebooks.info/

ERM AT MARS, INCORPORATED 47
Score
7.5 and greater
7.0 to 7.4
6.0 to 6.9
In
cr
ea
se
d
pr
ob
ab
ili
ty
o
f
ac
hi
ev
em
en
t a
nd
/
or
in
cr
ea
se
d
le
ve
l
of
m
an
ag
em
en
t
ef
fe
ct
iv
en
es
s
5.0 to 5.9
5.0 and less
Color
Green
Blue
Yellow
Orange
Red
Exhibit 3.1 Color Key for the Risk Profile Score
it appeared that five groupings existed. We had some actuaries review the data as
well, and they came up with the same results.
Companies frequently like to use three colors in their corporate dashboards;
however, most experts seem to agree that risk is not so cut-and-dried, and recom-
mend four or five risk categorizations. As a workshop facilitator, one can gener-
ally detect why a score was blue and not green. In discussions challenging such
a vote, facilitators frequently heard general managers or other participants speak
very clearly as to why an initiative is blue and not green.
Following the addition of risk categories, the ERM team developed a summary
report, in priority order, consisting of each initiative, its definition, and each initia-
tive’s risk profile (see Exhibit 3.2). These were compiled by region and submitted
to the Mars management team and the regional management teams, along with
the complete workshop reports.
Although senior managers reviewed these reports, it was too early in the pro-
cess for them to understand fully the potential of ERM. This was highlighted in Jan-
uary 2007 during my annual review with Oscar. David, Mars’ president, entered
the “fishbowl” room quite perturbed at one of the largest units. The unit had
advised of a significant surprise at year-end, which had an impact on the over-
all business’s year-end results. David looked at me and asked whether this issue
had arisen during my new process. I advised him that the unit had raised this as
a potential issue, which could adversely impact them entering the new year. They
www.it-ebooks.info

http://www.it-ebooks.info/

48 Implementing Enterprise Risk Management
.
Exhibit 3.2 Summary Report
asked me to get them a copy of the complete report, and I took this to mean they
had read but not kept the original.
The unit’s ERM workshop output had the issue as a “red” in their submission.
While both David and Oscar agreed that they expected some units to have initia-
tives with a red risk profile, they would not accept a unit to have a red issue and
not address it or communicate the potential impact as appropriate. This became a
basic tenet of the ERM process. This incident also proved a major win for ERM, as
David became extremely interested in the quarterly updates, which began shortly
thereafter.
To ensure that units used ERM throughout the year and communicated their
views on risk to senior management, we developed an ERM dashboard template.
This included the initiatives in priority order, the risk profile of each initiative for
each quarter (beginning with the workshop in Q3), the risk profile trend—stable,
improving, or declining—and a comment column for providing a view for year-
end (see Exhibit 3.3). This became an excellent tool for communicating for several
reasons. First, units that did not do so already had to review their risks and risk
treatments quarterly. This helped them to have a risk mentality mind-set, which
David had given us as a goal at the beginning. Second, senior managers could
quickly identify units that were struggling with issues. For the first couple of years
of the program, David would meet with the corporate controller, to review the
www.it-ebooks.info

http://www.it-ebooks.info/

ERM AT MARS, INCORPORATED 49
,
.
Exhibit 3.3 Quarterly Update
quarterly reports. Finally, it provided units with a tool to communicate to man-
agement that things were on track, although the first or second quarter sales may
not have appeared that way.
An excellent example of the latter point occurred the first year we used the
reporting template. In a large market where the company had a strong number
three position, the unit’s reported sales appeared to fall below its plan at the end
of the first, second, and third quarters of 2006.
I had facilitated the unit’s workshop. As their two main competitors, which
had a significant share of the market, planned to front-end load their activities (e.g.,
advertising, consumer promotions, trade discounts, etc.) into the first and second
quarter, the unit decided to focus the vast majority of its activities into the second
half, especially the fourth quarter. Each quarter the unit reported its key brands
as having green risk profiles. Each quarter, Oscar had me contact and challenge
the unit CFO on this point. Each quarter the unit CFO responded that the unit had
back-end loaded its activity set into Q3 and Q4, and I confirmed to Oscar that this
had been the case in the workshop as well. In the end, the unit delivered about
105 percent of its planned sales, and the ERM Quarterly Report gained a great deal
of credibility.
One thing that we noted from both the pilot year and the launch year was
that participants did not always seem to vote on the same thing on an initiative.
For example, an objective may read, “Maintain market leadership while achieving
growth and profitability targets.” A unit might have 35 percent market share, and it
could hold market leadership at 25 percent. One participant may vote low because
she believes market share will fall to 32 percent while another participant votes
high because this will still represent market leadership. Similarly, divergent votes
www.it-ebooks.info

http://www.it-ebooks.info/

50 Implementing Enterprise Risk Management
.
.
.
.
.
.
.
.
.
.
.
.
Z.
.
.
Exhibit 3.4 Targets
on achieving growth and profitability may result as different participants vote on
gross sales versus net sales, and earnings versus margins.
To resolve this problem, we changed the process for the 2007 Operating Plan
workshops, conducted in Q3 of 2006, and all future workshops. We required units
to specify measurable targets within each objective (see Exhibit 3.4).
Units could do this for all initiatives, including intangible ones. For instance,
associate engagement targets would include specific numerical scores for the units
and follow-up percentage targets for management. Similarly, “Have the right peo-
ple for the right jobs” would become “Have one person for each critical job in the
unit’s succession plan.” These objectives would have measurable targets by which
the unit could report progress throughout the course of the year.
2007 OPERATING PLAN WORKSHOPS
In 2006, we made two major changes. We added a strategic component to the work-
shop. We also pushed most of the workshop development to the units.
In terms of a strategic component, we added a column to the existing workshop
template that held the activities the unit needed to undertake to successfully imple-
ment its long-term strategic objectives. The strategic component proved unsuc-
cessful for three major reasons. First, we found that units without a completed
www.it-ebooks.info

http://www.it-ebooks.info/

ERM AT MARS, INCORPORATED 51
long-term strategy did not find this worthwhile. Second, the shift from the operat-
ing plan in the morning to the strategic plan in the afternoon proved too mentally
taxing. Workshop participants tend to be less effective late in the afternoon due
to the mental focus required in the workshop, and the transition to the longer-
term view in the afternoon seemed to make this afternoon lapse worse. Finally, we
found the extra column in the strategic template unnecessary. Units preferred to
use the standard workshop template for both operational and strategic issues. For
all future strategic workshops, we used only the standard template.
For the 2006 Operating Plan workshops, we found it very time consuming for
facilitators to build each individual workshop. To build each workshop, the two
facilitators interviewed the general manager, the unit CFO, and several other unit
management team members. They would then take the unit’s key operating plan
objectives and compile the templates by adding the risks and risk treatments based
on their interpretation of the interviews. Between the interviews and the workshop
compilation, it could take as much as a person-week to build a workshop. As facil-
itators typically had very senior positions, this did not represent an effective use of
their time. This time-consuming process would greatly limit the number of work-
shops that we could have, unless we could find a better solution.
At this time, the company was moving to increasingly standardized planning
tools. The units could use these tools to develop their own workshops, with mini-
mal guidance and support of the workshop facilitators. This aligned well with our
objective to simplify the workshop development process and aided us in push-
ing much of the workshop development to the unit. We developed a PowerPoint
presentation that outlined the process, as summarized in Exhibit 3.5.
This new approach greatly reduced the time to build a workshop. By having
initiative owners confirm the definition of the objectives, adding what they viewed
as the major four or five risks and risk treatments, we not only reduced the time
necessary to build a workshop, but we also improved the quality of the workshops.
The latter was achieved because the facilitators no longer had to interpret what
they had heard in the workshop. Instead, the actual owners populated this data,
which the management team validated in the workshop. This had the additional
benefit of increasing the ownership of the process within the unit.
TECHNOLOGY
When the ERM program began in 2003, the ERM team consciously did not select
a technology solution. The company did not want a technology solution to drive
the process. By 2007, the program had developed to the point that we needed tech-
nological support. First, we moved from using Word to Excel. This enabled us to
develop a comprehensive Excel tool for workshop development and data capture.
Second, we selected a software vendor whose product could most closely adapt to
our process.
The Excel tool greatly streamlined the process for building workshops. It made
it easier to define initiatives and for users to build individual templates in prepa-
ration for workshops. More importantly, it enabled workshop operators to revise
and add information to the templates more easily during workshops. This enabled
workshop participants and operators to focus better on the process.
www.it-ebooks.info

http://www.it-ebooks.info/

52 Implementing Enterprise Risk Management
Exhibit 3.5 Sample Planning Process
# Activity Timing
1 The unit CFO provides the facilitators with the key
operating planning documents, standard planning
documents, and so on.

2 The facilitators hold a teleconference with the unit’s GM and
CFO to identify relevant operating plan initiatives and
strategic risks from last year’s assessment and add new
operating plan initiatives and strategic risks.
1.25 to 1.5
hours
3 The facilitators prepopulate the workshop template with
initiative definitions, based on the interview, the planning
documents provided, and output from the prior year.
1.5 hours
4 Facilitators send the prepopulated workshop template to
the unit CFO.

5 The unit CFO forwards each template to the unit’s
Management Team and to the individual initiative owner.

6 Initiative owners confirm the initiative definition, including
key metrics, adds four to five risks, and adds four to five
risk treatments.
0.5 to 1 hour
per initiative
7 The unit CFO consolidates the templates and forwards them
to the facilitators and the unit GM.
1 hour
8 One facilitator has a review with the unit GM and/or CFO
of the workshop template to validate the input and
identify any key points.
30 minutes
9 The unit CFO distributes the final workshop template to the
unit’s Management Team as a preread package.

10 Workshop. 8 hours
The software resulted in two major improvements in the process. First, it
enabled units to update their risk profiles into a system. It also provided more
flexibility than previously available using Word.
Data capture and reporting represented the other major improvements pro-
vided by the software. Using the Excel tool following each workshop, we cat-
egorized each initiative and risk by function (e.g., Service and Finance, Sales,
Marketing, etc.). Similarly, we categorized these using the risk definitions, which
the initial working group had developed.
AGGREGATION
The company historically had very well-defined ranges of risk that it would take
on in the areas of currencies, commodities, insurance, and so on. It had compre-
hensive reporting that aggregated such financial risks. Although these areas were
well managed at the regional, segment, or corporate level, their role frequently
influenced decisions at the business unit level.
While companies can easily aggregate these types of financial risks, the ERM
process presented other types of information. The output of the ERM workshops
www.it-ebooks.info

http://www.it-ebooks.info/

ERM AT MARS, INCORPORATED 53
produced both qualitative and quantitative data, as well as tangible and intangible
risks. These included operational, supply chain, and human resources risks.
To aggregate these risks and identify emerging risks for regional, segment,
and corporate management teams, the ERM team had two methodologies—human
review and technology. In the early years, the ERM team would review all of the
workshop output and summarize the three or four key themes for the corporate
management team. In some cases, they would delegate the review of this informa-
tion to the individual(s) responsible for the issue. In two cases, the ERM team led a
short workshop with the corporate management team on one or two of the critical
issues identified.
In many of the early workshops, the ERM team was surprised to find so many
human resources issues across the world. Frequently, these rose to be near the top
of the list in priority for many units. Bringing these out in workshops enabled the
units to view these from the perspective of risk to the business. On a corporate,
aggregated basis, this gave leadership a different perspective (i.e., risk) from which
to view the issue, and over time how their initiatives worked to improve the risk
at the corporate and unit levels.
Once the company moved to segments from regions, the ERM team aggregated
the output from the individual units in the segment and conducted workshops
with the segment management teams, to help them identify the key issues con-
fronting their business in the coming year. These included themes and emerging
risks identified across the entire business, but focused on their impact on the indi-
vidual segment. This was done in conjunction with their overall planning activities,
bringing risk into their evaluation process. Some segments found this quite useful
in helping them to allocate resources and identify action plans to improve the like-
lihood of the segment’s success in the upcoming year. Segments that found this
helpful held these workshops annually.
In aggregating the risks in the workshops, we considered such issues as these:
� The number of business units impacted
� The number of associates impacted
� The number of business processes or functions impacted
� The impact on our consumers and customers
� The potential impact to our brands
This methodology worked very well with difficult-to-quantify risks. It also
helped to identify emerging risks. The overall process identified issues that might
be a nuisance in individual markets but when viewed on an aggregated basis had
a potential impact on the segment or corporation as a whole.
The software solution provided another opportunity for aggregation. As
workshop teams had categorized the initiatives and risks by both function and
risk definition, we could run reports or aggregation by business unit; by geography
(country, region, corporate); by corporate function (S&F, Sales, Compliance, Mar-
keting); and so on. Once the system had three years of data, it could provide com-
parisons by year, segment, region, and business unit. This enabled the preparation
of summary reports, aggregating the issues identified and changes by year, thus
allowing the identification of emerging risks, such as the increasing importance of
www.it-ebooks.info

http://www.it-ebooks.info/

54 Implementing Enterprise Risk Management
commodity pricing and availability. The reports provided a summary analysis of
the data for the segments, which used this to supplement their ERM work.
Unfortunately, we lost our back-office support for these reports after the first
year of developing the capability. As such we were unable to run these reports
on an ongoing basis thereafter. The learning for others is to ensure that you select
software that your team has the capabilities to fully utilize.
TEMPLATE EVOLUTION
Over the years our template evolved. Some changes resulted from observations
made by facilitators. Others came from participants, either during workshops or
from periodic global surveys.
During a workshop, facilitators attempt to limit the number of risks and risk
treatments to 10 to 15 each (as many as 20 for very large units). However, having
so many risks and risk treatments can lead to clarity without perspective.
The initial template simply listed risks and risk treatments in two columns,
without referencing which risk treatments applied to the individual risks. The
ERM team found that referencing the risk(s) that the individual risk treatments
addressed provided better clarity as to the process. Furthermore, this approach
helped to better identify the most critical risks and risk treatments. To leverage
this opportunity, participants had to identify the three or four most critical risks,
defined as those most likely to adversely impact the initiative. They did the same
for the three or four most critical risk treatments (i.e., those most likely to lead
to success). This led to more robust voting, as participants had a perspective on
the impact and likelihood that the most critical risk would occur, as well as the
effectiveness of the most critical risk treatments in aiding the team to achieve its
objectives.
Initially, when units identified key actions that they believed would increase
the likelihood of success, they were included in the summary reports. However,
the ERM team discovered that the failure to assign accountability for the activity
frequently led to it not getting done. (I have heard this same issue arise in other
companies’ programs.) Consequently, an “Action Plan” section was added to the
bottom of the template. This improved the results; however, in one workshop the
unit asked if they could assign each risk treatment to an individual. This worked
very well.
Through experimentation it was found that adding both a responsible party
and a completion date added to the robustness of the process. Typically, units
would assign the tasks to either management team members or their direct reports.
This helped identify situations where one associate or group had too many activ-
ities to address properly those things needed to achieve an initiative’s objec-
tives. More important, as the workshop progressed through the day, it frequently
became clear that a unit might not have the bandwidth to complete all of their tasks
in the time frame allotted. This led to changing deadlines and moving resources
around the business in order to improve the likelihood of successfully achieving
both individual initiatives as well as overall operating plan objectives. Exhibit 3.6
shows how a completed template from a workshop would appear.
www.it-ebooks.info

http://www.it-ebooks.info/

ERM AT MARS, INCORPORATED 55
Template for input in Workshops
Initiative
# Risks Risk Ref #
Action Plan
Risk Treatment Risk Treatment Owner
Greener
Green
Due Date
Risk 1
Risk 2
Risk 3 All
1,3,6,8,9,10
1,2,3,4,5,8
3,4,8
2,7,8
5,8
9,10
3,6,7,8
Risk 4
Risk 5
Risk 6
Risk 7
Risk 8
Risk Treatment 1
B. Spinard
B. Spinard
B. Spinard
L. Warner
L. Warner
L. Warner
G. Smith End Q4 2011
End Q4 2011
Q3 2012
Q4 2012
Ongoing
Q1 2012
June 2012
May 2012
G. Smith
Risk Treatment 2
Risk Treatment 3
Risk Treatment 4
Risk Treatment 5
Risk Treatment 6
Risk Treatment 7
Risk Treatment 8
Risk 9
Risk 10
1
2
3
4
5
6
7
8
9
10
Exhibit 3.6 Mars ERM Template
SPECIAL SITUATIONS
The ERM team found that engaging key early supporters on an ongoing basis had
mutually beneficial results for both. Most of the evolutionary improvements and
best practices occurred as a result of these activities.
One major European unit sought to improve their growth rate. In 2006 Pete
became the CFO, and in early 2007, Susan became general manager of this unit.
Pete had participated in the initial South African workshop as well as his new unit’s
2007 Operating Plan workshop. Susan had played the key role in having the ERM
team involved in the 2004 European project.
To turn the business around, Susan and Pete wanted ERM to play a key role
in the unit’s growth program. They wanted to hold a series of ERM workshops to
support the development of their program. The output would be built into and be
monitored on an ongoing basis by their project management office (PMO). Over a
period of 18 months, the unit held both the normal operating plan workshops as
well as strategic ones. In order to increase the buy-in to the strategy by the entire
business, they held a two-day workshop involving both the management team
and their direct reports. This totaled approximately 30 associates. These associates
were divided into several groups to conduct risk assessments of the proposed new
strategies and to identify new activities and risk treatements that would improve
the likelihood of achieving success. The output included changes to brands that
the unit could best leverage. The process also developed support from multiple
levels of the business, as they had an active voice in the process. This program
of workshops contributed to the unit’s successful achievement of its performance
objectives.
In 2007 the company acquired a U.S.-based entity. About a year later Pete
became the new CFO and Maria became the general manager. Maria had been
www.it-ebooks.info

http://www.it-ebooks.info/

56 Implementing Enterprise Risk Management
general manager of Australia during the first ERM session in 2004, and has been a
strong supporter of ERM ever since. They decided to use a similar approach to the
one Pete had helped create in Europe, adding additional objectives. In addition to
using ERM to assist in the development and stress testing of a comprehensive busi-
ness strategy, they wanted to use ERM to assist in evaluating talent, embedding a
new culture, and obtaining support from multiple layers of the business from their
leadership team, the top 30 or so associates within the business. Over two and a
half years, the unit held numerous workshops, both operational and strategic, to
help them formulate their strategy and achieve their overall objectives.
Don had been the CFO for the first Australian Food workshop in 2005. In 2007,
he became CFO of Japan. He used ERM to evaluate the unit’s strategy. In this case,
the unit had the brand manager for each brand come into the room, present the
brand’s strategy, and act as an equal member with the management team members
in evaluating the likelihood of the brand successfully achieving its objectives. Here
again, multilevel participation enhanced the buy-in within the business.
In 2010, Don became CFO of Petcare Asia/Pacific. Like Don, Richard, the GM
of the business, had been a long-term supporter of ERM. They decided to use ERM
with the regional management team to increase the probability of achieving their
objectives. Over a two-year period, we held a series of ERM workshops to help
support their development and evolution of their strategy. This included their
brand portfolio, asset investment program, individual market investment, asso-
ciate development, and so on. In addition to the standard workshop, we helped
them with scenario planning to identify risk treatments for competitor activity,
regulatory issues, and the like. In their meetings where no workshop was held,
Don led the review of the risk profile, and the team voted on the risk profile of
each strategic objective.
This team also took the standard template a step further. They categorized
the risks and risk treatments by categories within each template. They added a
fifth column that specified the actual activity. These were given to either the func-
tional head of the region or the functional team underneath them responsible for
the activity set—for example, Sales, Marketing, or Supply (i.e., manufacturing and
distribution). The respective teams then provided periodic updates as part of the
regional management team’s risk profile update process.
The team found this approach beneficial for the team. As their objectives
became “Green” and had been achieved, they developed new templates to reflect
their updated strategies.
MAJOR ACQUISITION
When Mars made a major acquisition of a global confectionery company, the early
supporters of ERM at Mars played a key role in the adoption of ERM at the acquired
company. Jim, one of our original facilitators, took on a high-level role within the
acquired business’ U.S. operations. At his urging, the U.S. GM agreed to have an
ERM workshop for the 2009 Operating Plan in early 2009. This workshop was well
received within the acquired business.
The GM of European Sugar, during our current state assessment workshop in
2003, had been a key supporter of ERM in various senior roles within Mars. When
www.it-ebooks.info

http://www.it-ebooks.info/

ERM AT MARS, INCORPORATED 57
he became a senior manager within the acquired company’s European operations,
he introduced ERM in this region. Here again the process was well received.
Lee, the S&F Staff Officer for Mars in Asia, who had observed the first work-
shop in China and overseen the process in the region thereafter, discussed ERM
with Michael, the acquired company’s CFO of Asia. Michael was so intrigued by
the process that he had us conduct a 2010 Operating Plan workshop for his largest
unit in the region. Following our first workshop, Michael advised us that he had
found the process robust, and complementary to their other activities. As such
he asked us to conduct additional workshops for the other major markets in his
region.
Within two years, we were conducting annual operating plan workshops at
business units representing the same high percentage of the acquired company’s
global sales that we achieved at Mars.
CONCLUSION
In 2010, Mars received the Corporate Executive Board’s “Force of Ideas Award”
for ERM. It was the first recipient in this category. The award was based on the
view that Mars had successfully embedded ERM into its business model and that
other companies had adopted its process.
The key factors in the success of ERM at Mars include:
� We ensured we aligned the program with the approved principles.
� We focused on achieving our operational and strategic objectives. We did
not address compliance. We left that to the associates responsible for com-
pliance, and assisted them in using our tools as appropriate.
� We focused on evolution and not revolution. As a result, the program had a
continuous improvement process.
� Flexibility and not rigidity contributed to the program’s results. By assisting
units in developing the workshops and updating processes that best met
their needs, the program had a demand for services as opposed to a push.
Furthermore, many of the evolutions of the program directly resulted from
unit requests.
� The process proved to be a good identifier of talent and an opportunity for
associate development for the business.
� The ERM team never overpromised what it could deliver. Instead, we set
realistic objectives on our rollout and obtained senior management support
throughout.
� The ERM team engaged and conducted periodic surveys of the business
units, the Mars management team, and the Mars board’s advisers.
QUESTIONS
1. What represents the key success factors of the program?
2. What improvements would you make?
3. Does this represent an effective risk management program? If not, what is missing?
4. Would this program work for a publicly traded corporation of similar size?
5. How important do you view alignment and accountability among a management team?
www.it-ebooks.info

http://www.it-ebooks.info/

58 Implementing Enterprise Risk Management
NOTE
1. For information on Mars’ history, see www.mars.com/global/about-mars/history.aspx.
ABOUT THE CONTRIBUTOR
Larry Warner is President of Warner Risk Group, which provides ERM and risk
management consulting services. He has almost 30 years of experience in design-
ing and building risk management programs in asset conservation, safety, insur-
ance, and enterprise risk.
Prior to establishing Warner Risk Group in 2012, Larry served as Staff Officer
of Risk Management for Mars, Incorporated (including Wrigley), based in McLean,
Virginia. At Mars, Larry had global responsibility for developing and coordinating
Mars’ enterprise risk management activities, directing Mars’ global asset conserva-
tion program, managing Mars’ global property and casualty insurance programs
and claims, coordinating the auditing of Mars’ safety programs, and overseeing
the placement of its global benefit insurance programs. The Corporate Executive
Board awarded Mars its 2010 Force of Ideas Award for Risk Management for its
embedding ERM into performance management.
Before joining Mars in 1989, Larry was Assistant Risk Manager at Texas Instru-
ments. He has a BS in geography and an MBA in risk management and corporate
finance, both from the University of Georgia. He is a frequent speaker at national
risk conferences and contributor for such organizations as the American Strategic
Management Institute, the Conference Board, the Corporate Executive Board, and
the Risk and Insurance Management Society.
www.it-ebooks.info

http://www.mars.com/global/about-mars/history.aspx

http://www.it-ebooks.info/

CHAPTER 4
Value and Risk
Enterprise Risk Management at Statoil
ALF ALVINIUSSEN
Independent Consultant, Norway
HÅKAN JANKENSGÅRD
Researcher, Department of Business Administration and Knut Wicksell Centre for
Financial Studies, Lund University, Sweden
The enterprise risk management (ERM) approach to managing a company’srisks promises many benefits. A reading of the literature on the subject willtell you that ERM, among other things, will reduce the frequency of sur-
prises, lead to better allocation of resources, improve risk response decisions, and
reduce costly duplication of risk management activities (e.g., COSO 2004).
Many companies are finding out that these benefits don’t always materialize
easily. It turns out that implementing a holistic, enterprise-wide approach to risk
management often challenges the organizational status quo. Powerful individuals
and business units face a potential loss of autonomy and are asked to comply with
new reporting requirements. “The way we’ve always done things around here” is
no longer good enough, it may seem.
In companies where change is resisted, ERM is at risk of becoming an island,
an isolated process whose outputs and opinions are largely ignored by decision
makers. These so-called ghost ERM programs contribute little or nothing at all to
enterprise value. In this chapter we use the experience of Statoil, a Norwegian oil
and gas producer, for lessons about how to overcome these organizational chal-
lenges and make the potential benefits of ERM become reality.
At Statoil, understanding and managing risk are today considered core values.
This principle has been duly integrated into the organization, and is inscribed in
steering documents as well as in a booklet handed out to all employees, describing
core values, corporate governance, the operating model, and corporate policies.
The company has developed a sophisticated approach to ERM that centers on the
principle of value creation. ERM is thoroughly embedded in the business units’
way of doing things, and it appears to enjoy the wholehearted support of Statoil’s
executive officers and board of directors.
Statoil has, in other words, managed to make ERM into something that makes
a real difference. To gain insights about the success factors behind this outcome,
59
www.it-ebooks.info

http://www.it-ebooks.info/

60 Implementing Enterprise Risk Management
we will investigate how Statoil has dealt with the four main general tasks that
fall on executives responsible for ERM: (1) make sure that there is an adequate
process for identifying, managing, and reporting risks throughout the company;
(2) act as a support function to business units in this work; (3) detect and counteract
risk management decisions that are suboptimal for the company as a whole; and
(4) analytically aggregate risks to support decision making concerning the com-
pany’s total risk profile. The first two sections outline the history of ERM in Statoil,
and the guiding principles that underpin it.
ERM AT STATOIL: A BRIEF HISTORY
Headquartered in Stavanger, Norway, Statoil is one of the world’s top 10 oil and
gas producers. In 2012, the company had revenues of 706 billion Norwegian krone,
NOK (approximately 120 billion U.S. dollars, USD). In the same year, it had over
23,000 employees worldwide and produced 2,004 million barrels of oil equivalents
per day. Known for its operational excellence, Statoil is the global leader in offshore
oil production below water depths of 100 meters.
The company has a 40-year history as part of the Norwegian oil bonanza. Orig-
inally Statoil was the state-controlled company in the Norwegian model of retain-
ing both publicly and privately owned exploration companies. The privately held
company Saga Petroleum was acquired by the partly state-owned conglomerate
Norsk Hydro in 2000. Norsk Hydro in turn merged its oil and gas division into
Statoil in 2007. Statoil is now by far the largest producer on the Norwegian conti-
nental shelf.
In 2001, Statoil’s shares were listed on the Oslo and New York stock exchanges.
In early 2013, its market capitalization exceeded 80 billion USD. While the Norwe-
gian state still owns 67 percent of the company, it operates independently of the
state on strictly commercial principles.
After having sold its downstream and petrochemical businesses over the past
few years, Statoil is today heavily focused on upstream activities (i.e., exploration
and development of oil and gas reserves). Its three business areas focusing on
development are divided according to geographical regions (Norway, Interna-
tional, and the United States, with the latter being much smaller). In addition, it
has four more business areas focusing on marketing, technology, exploration, and
strategy.
ERM in Statoil got under way in 1996. Petter Kapstad, who has a background
in banking, had been asked to systematize the management of risk in the finance
department, which previously had been carried out in a fragmented and uncoor-
dinated way. The result of Petter’s work was that the risks managed by the finance
department were measured and managed as a portfolio of risks with central over-
sight. The then CEO of Statoil, Harald Norvik, realized that the same principles
could be applied to the whole company, and that there would be benefits to Statoil
from managing its risks in an integrated way. Again, Petter was trusted with the
task of leading the company in this direction.
While Statoil’s executive officers were generally positive to the idea behind
ERM, they still demanded to know “What is in it for us?” An important part of the
answer to this question came from a project group that investigated the costs and
benefits to Statoil from various financial transactions, mostly hedging and foreign
www.it-ebooks.info

http://www.it-ebooks.info/

VALUE AND RISK 61
exchange (FX) transactions going on in the company. Petter and his group were
able to show that the number of transactions was staggeringly high, and that they
were mostly based on a silo thinking that made no sense at all as seen from the cor-
porate perspective. And, crucially, these transactions were not harmless or mere
annoyances. They came at a substantial cost and seriously complicated the com-
pany’s accounting as well as the management of exposures. This struck the senior
executives as unacceptable. ERM had demonstrated the economic justification it
needed. A clear mandate was given.
Early on in the project, Petter met and started working with Eyvind Aven, who
shared the same vision of an enterprise-wide approach to risk management. Impor-
tantly, Eyvind had a background in economic analysis, which complemented Pet-
ter’s experience from trading units. This fact made them bilingual in the sense that
they knew the specific terminology and ways of doing things that were prevalent
both in the company’s high-profile trading units, as well as in its headquarters.
Their ability to speak complementary languages and not being viewed as outsiders
was to prove very useful, as many tough decisions lay ahead with people who had
an interest in preserving the status quo.
An important early milestone in the implementation of ERM came in 1999,
when the Risk Committee, a cross-disciplinary advisory body on risk, was formed.
The idea behind creating this committee was to obtain a forum to which people
could put proposals and general risk issues for analysis and recommendations.
From the very beginning, the committee has been chaired by the chief financial
officer (CFO). Its main task is to advise the executive managers and the CFO on
risk issues, and is not part of the formal decision process. It consists of a broad
range of professionals with different backgrounds, such as the head of strategy,
the heads of the main trading units, the chief controllers of different business units,
and the head of internal control, in addition to the head of the risk department who
is responsible for the agenda and calling for meetings.
In 2000, the risk department was formally set up (headed by Petter Kapstad),
and started work on developing a common methodology on risk, as well as con-
tinuing the work on developing the company’s consolidated risk model that had
been initiated two years earlier. The risk department, furthermore, has the overall
responsibility for insurance and the captive insurance company. In 2005, the first
enterprise-wide risk mapping process was rolled out.
ERM FOUNDATIONS
In the early stages of the project, it was decided that Statoil would not simply imple-
ment one of the existing blueprints for ERM. Nor did Petter and Eyvind want it to
be, or it would be seen as another control function.1 They had something else in
mind. They wanted a framework that made sense to Statoil, and that centered on
the two basic goals of the company: to create value and to avoid accidents. Keep-
ing people and the environment safe are the first priority and supersede any other
objective.2 Beyond those basic objectives, however, risks are to be managed in a
way that maximizes the value of the company. This insight has a number of impli-
cations, which are explored in this section.
To begin with, the focus on value affects the very way risk is defined in Statoil.
According to Statoil’s philosophy, which is widely communicated internally,
www.it-ebooks.info

http://www.it-ebooks.info/

62 Implementing Enterprise Risk Management
risk encompasses not only downside risk but also upside potential. This philos-
ophy has even found its way into the corporate directives of the company, which
state that “risks shall be identified and analyzed, including both upside and down-
side impact.” On this dimension, existing off-the-shelf ERM frameworks were con-
sidered too oriented toward regulatory compliance and risk avoidance. The Sta-
toil philosophy instead recognizes that risk taking is unavoidable, even necessary,
to create value for shareholders.3 What matters is that the risks are well enough
understood and found acceptable, given their downside risk and upside poten-
tial. Reflecting this thinking, the risk maps in Statoil have been developed to show
probability and impact not only for the downside, which is the most common way
of constructing these maps, but for the upside as well (see Exhibit 4.1).
Statoil’s risk map captures both upside potential and downside risk for any
given risk factor. On the x-axis is the probability of occurrence. On the y-axis is the
impact figure, measured as the pretax impact on earnings (USD millions). Note that
the impact is measured relative to the forecasted value of earnings. All reported
risks will be considered twice in the map. The first is its potential contribution to
upside potential (to be entered above the line), and the second is its contribution
to downside risk (to be entered below the line). These two points are a summary,
or synthesis, of the entire range of potential outcomes for the risk factor in ques-
tion. For example, the risk factor denoted Risk A in the exhibit has a 5 percent
probability that the outcome will be somewhat better than expected. However,
Risk A
200
50
10
11
1
2
3
4
5
6
7
8
–1
–10
–50
–200
1% 5% 10%15% 25% 50% 75%
Probability
Im
p
ac
t
C
at
eg
o
ry
Risk Map for XXX Nov.8, 2011USD Million
5,000
1,000
–1,000
–5,000
P
re
ta
x
Im
p
ac
t
Exhibit 4.1 Risk Map
www.it-ebooks.info

http://www.it-ebooks.info/

VALUE AND RISK 63
Upstream
Refining
Methanol
Market
Crude oil
Fuel oil
Gas oil
Jet kero
Gasoline
Naphtha
Methanol
Currency and interests
Accidents
Catastrophes
HSE risks
Project risk
Production risk
Reservoir risk
Country risks
Tax risks
Market
risks
Operational
risks
T
h
e
ri
sk
s
th
at
m
at
te
r
Crude oil
Natural gas
NGL LPG
Downstream
Dry gas
Exhibit 4.2 Statoil’s Value Chain
there is a 10 percent probability of a fairly significant loss relative to the forecast
(USD 200 million). For this particular risk, the downside risk is larger than the
upside potential.
As already mentioned, value creation is the basic guiding principle for ERM in
Statoil. That is demonstrated by the emphasis the company puts on viewing risks
in a value chain perspective. In the corporate directives it is written that the com-
pany’s approach is to “identify, evaluate, and manage risk related to the value chain
to support achievement of our corporate objectives” (original emphasis). Statoil’s
value chain is outlined in Exhibit 4.2, showing how its main activities progress from
upstream (oil exploration and development) to downstream (petroleum refine-
ment) to market (selling its products into various global markets).
Statoil’s value chain consists of three main stages: the exploration and devel-
opment of oil and gas reserves (upstream); the refinement of hydrocarbons into
various petroleum products (downstream); and the selling of crude oil, gas, and
refined products into different markets. The most important risks (“the risks that
matter”) have been divided into two categories: market risks and operational risks.
What difference does the value chain perspective make? First, it serves as a
clear signal to everybody involved (i.e., Statoil’s employees and other stakehold-
ers) that value creation is the metric being pursued through ERM, and it is the
impact on Statoil’s performance that ultimately counts. Statoil’s thinking on this
issue is that if ERM is limited to managing risks related to goal achievement in var-
ious business units, the result will be “satisficing” rather than value maximizing.4
Another important benefit of the value chain perspective relates to the fact
that the large number of risks identified in the risk map can make it challenging
www.it-ebooks.info

http://www.it-ebooks.info/

64 Implementing Enterprise Risk Management
to understand what is really going on. By sorting the risks into a value chain, one
can more easily see the bigger picture and, through the lens of the company’s
business model, see how the different risk categories hang together. In other
words, the value chain perspective allows Statoil to rework the knowledge about
risk contained in the risk maps into something that is more analytically and
logically coherent.
The concept of core risks further underlines the central role of value creation as
a guiding principle for ERM in Statoil. To understand this concept, we need to go
back to 2001, when the company’s shares were listed.5 During the listing process,
there were investors looking for arguments as to why they should invest in Statoil.
Recognizing that investors were entitled to information about what exposures they
were getting when they invested in Statoil shares, the company formulated the
idea of core risks, understood as the risk exposures that an investor would expect,
and even desire, to have from buying Statoil shares (the most important of which
was the exposure to oil and gas prices). The core risks are owned by the CEO of
the company and are coordinated centrally in the organization. One of the prac-
tical consequences of this is that trading mandates throughout the company have
been substantially restricted and placed under central scrutiny. At the end of the
day, this should increase the transparency and predictability of the risk exposures
obtained by investing in Statoil shares, which lowers the risk premium investors
attach to the company and hence also its cost of capital (Jankensgård, Hoffman,
and Rahmat 2013).
ERM PROCESSES IN STATOIL TODAY
So far we have discussed the history of ERM in Statoil and the guiding principles
underpinning it. We now turn to the more practical issues of what tasks execu-
tives need to address for ERM to work in practice and for its potential benefits to
be realized. The first two tasks, covered in this section, are making sure there are
adequate processes in place for managing risks throughout the organization, and
acting as a support function to the business units as they go about this.
Let us dispel a potential misunderstanding. ERM does not imply that all risks
should be managed, or owned, centrally in a company. While some risks certainly
are managed centrally in Statoil (its core risks, as discussed in the previous section),
the business areas are responsible for managing the large majority of the risks that
arise in their lines of business.
Just because a business area has been designated the owner of a particular risk,
however, doesn’t mean that sound management of this risk automatically follows.
Corporate management needs to ensure that risk management in the business units
is of sufficient quality. Corporate management also has a legitimate right to be
informed about the main risks in each business unit and what is done about them.
These considerations lead us to what for many is the bread and butter of ERM,
namely the process of identifying, mitigating, and reporting risks. For brevity, we
will refer to this as the “risk mapping process.”
In Statoil, the risk mapping process follows a quarterly rhythm, which is the
frequency at which the business units are required to update their risk maps. This
is not just a numbers exercise. The units are expected to provide discussions and
justifications for their assumptions, and explain what their policy on each main
www.it-ebooks.info

http://www.it-ebooks.info/

VALUE AND RISK 65
risk is. As part of the company’s quarterly review meetings,6 they also meet with
top management to discuss the status with regard to major risks. These two facts—
providing written justifications and actually meeting with representatives of top
management and the risk department—go a long way toward ensuring the quality
of the outputs of this process (the probability-impact estimates). Since the business
units know this lies ahead, they have every reason to do a good job preparing
and thinking through their estimates of risks (and their mitigation actions). It also
counteracts any tendency to think along the lines that “this risk certainly exists,
but it surely will not happen during my time in office, so I will just do nothing.”
The risk department, in turn, writes a brief in response to the business units’
risk maps, which is sent to executive management. Statoil’s board of directors is
also briefed on the risk profile on a quarterly basis, and they receive a condensed
version of the risk map prepared by the risk department.
The risk department is not only a supervisor of the risk mapping process. It
also provides support to business areas and helps spread best practices. It has the
expertise and resources to assist business units in multiple ways from advice on
how to manage a particular credit risk to suggesting a methodology for quantifying
a certain market risk.
A useful example of the role of the risk department as a resource available
to support business areas in their commercial activities comes from country risk.
Statoil’s risk department has, in collaboration with consultancy firm IHS Global
Insight, developed a deep expertise in this area, which is of particular importance
to a company active in many of the world’s most risky countries. This effort has
resulted in a large internal knowledge base on country risk, as well as a stan-
dardized methodology for evaluating country risk as part of new investment pro-
posals. The business areas are able to draw on these resources, and work with
the risk department to reach the appropriate policies for each country and new
investment.
In the risk mapping process, rigorous quantification of probability and impact
has been considered essential to make the risk maps useful to support decision
making. Quantification brings a focus on the financial bottom line of the company,
and makes it possible to compare different risks in a meaningful way. What one
person would label a large risk may well be a small one to someone else, depending
on references.
OPTIMIZING TOTAL RISK
The two tasks related to ERM discussed so far, the risk mapping process and the
role of adviser to the business areas, are conceptually straightforward. The third,
avoiding risk management decisions that are suboptimal for the company as a
whole, is less so. To increase the understanding of the issue, we will discuss several
practical examples in this section.
In Statoil, avoiding suboptimal decisions is also known as “optimizing total
risk.” Optimization of total risk has been unyieldingly pursued by the ERM team,
with several tangible benefits for the company. The value metric that underpins
ERM in Statoil implies that it is the perspective of the company as a whole that
should rule in practical situations where different individuals and business units
may have differing views on how to proceed.
www.it-ebooks.info

http://www.it-ebooks.info/

66 Implementing Enterprise Risk Management
A straightforward example of possible suboptimal behavior concerns foreign
exchange (FX) risk management. Consider a situation where one business unit is
selling into a market where the product is quoted in U.S. dollars, and another unit
is sourcing material priced in the same currency. Whereas each unit may have an
incentive to manage its own exposure, what counts for the company as a whole is
the net of these exposures. Lacking a central policy, risk could be overmanaged to
the extent that managers of business units use FX derivatives to cover exposures
that would cancel out from the perspective of the company. Apart from the burden-
some accounting that derivatives cause, there are also significant direct costs from
such overmanagement of risk. Statoil calculates that if two business areas simul-
taneously cover a USD 10 million exposure (by no means a large hedge by Sta-
toil’s standards), it would incur transaction costs of around NOK 180,000 (assum-
ing a USD/NOK exchange rate of 6 and a bid-ask spread of 30 basis points). Since
ERM was implemented, Statoil has withdrawn the ability of business units to set
their own policy with regard to FX derivative usage. Besides avoiding the trans-
action costs just mentioned, a centralized FX derivative policy entails a number of
other advantages, such as business units focusing on their core activities and an
increased ability to coordinate the derivative policy with other corporate policies;
see Jankensgård (2013) for a detailed discussion.
Our second example of potential suboptimization concerns the hedging of oil
and gas exposures. Prior to ERM, business units used to have fairly generous man-
dates to hedge their exposures to these market prices. This created a potential prob-
lem from the perspective of the company as a whole. Besides complicating the
assessment of net exposures on the corporate level, the business units were basing
their hedging decisions on criteria that were disconnected from the goal of maxi-
mizing value. What drove a unit’s decision to hedge was instead a desire to lock in
prices when they were above the price that was assumed when targets were set for
the year, but to leave them unhedged otherwise. If the business plan had assumed
an oil price of $100 and it later climbed to $115, the unit could use a derivative con-
tract to lock in this level, which ensured it would beat the target and could collect
a bonus for the year. As mentioned earlier, these mandates have been gradually
reined in and subjected to strict limits set centrally in the organization.
A third example of a business unit optimizing its own risk/return with the
result being suboptimal decisions for the company overall comes from Statoil’s
captive insurance unit. Previously this unit sought to justify its existence as a stand-
alone unit by showing robust profits. In so doing, it benefited greatly from the
implicit guarantee provided by Statoil’s credit rating and strong balance sheet.
From the perspective of ERM, this is incorrect. Rather, the captive should be a tool
for Statoil in optimizing total risk. Today the captive does this. The insurance pol-
icy of Statoil now targets the things that matter: the really big risks related to busi-
ness continuation. That is, the insurance program focuses on the risks that really
could throw Statoil off course, and ignores (i.e., self-insures) the lesser risks that
ultimately have no significance for Statoil’s ability to meet its overall objectives.
TOTAL RISK OPTIMIZATION: LESSONS LEARNED
Optimizing total risk may sound simple in principle. Indeed, it is one of the
supposed core principles of ERM. ERM texts routinely contain phrases like “avoid
www.it-ebooks.info

http://www.it-ebooks.info/

VALUE AND RISK 67
duplicating costly risk management activities” and emphasize this as one of the
main benefits of ERM (as opposed to a silo or decentralized approach to risk
management).
In reality, optimizing total risk is not so easily achieved. A key reason for this
is that it threatens the established way of doing things. Powerful units and individ-
uals may have little interest in conforming to ERM because it reduces their auton-
omy and requires a change in how they work. Some deeply rooted habits may need
to change. As a result, many will resist, which may prevent an ERM program from
lifting off the ground.
Consider also the way the ability to manage risk hangs together with the sys-
tem for performance measurement used by the company. Let’s say a business
unit is evaluated on its earnings before interest and taxes (EBIT). Since the unit
is responsible for its own result, it seems only reasonable that it should have the
freedom to manage the risk exposures related to it. However, this conflicts with
the legitimate goal of headquarters to centralize management of FX risk or other
core risks (e.g., oil prices) given the substantial benefits of a centralized approach
(as discussed earlier). Hence, we have a conflict between the desire to central-
ize risk management and the way the company measures the performance of its
business units.
So how do you succeed in making the ERM mind-set take root despite these
potential problems? A few factors stand out in Statoil. For example, the company
has ensured that key performance indicators (KPIs) and balanced scorecards that
the company uses to evaluate its business units are, to the extent possible, unaf-
fected by the centrally managed core risks we introduced earlier. This is a very
important principle, because it resolves many of the potential conflicts of interest
that could arise from centralizing risk management. As mentioned, energy prices
and exchange rates could greatly impact the company (e.g., its EBIT), which could
create incentives for the business units to manage these risks. In Statoil, however,
the performance measures used have been designed to exclude the impact of these
external factors. This means that the company achieves central management of
these risks but largely avoids the discontent that could result from business units
having to live with large risk exposures.
Beyond established KPIs and scorecards, work has also been done to make
taking the best decision for Statoil the normal and expected thing for an employee.
Obvious though the foregoing may sound, many units are, for often quite under-
standable reasons, very focused on meeting their own targets and consequently
do not see beyond the border of their unit. The ERM team has, however, sought
to make it part of anyone’s job description to think in terms of Statoil’s net benefit.
People have been made aware that this is expected of them.
Another success factor in this regard has been to spend significant amounts
of time beforehand thinking about what the ERM should ultimately look like, and
why. Petter and Eyvind call this “doing one’s homework.” Having a coherent set
of arguments ready to defend a particular measure meant to optimize Statoil’s total
risk has made it much easier to stand firm when people resisted change.
The Statoil experience also illustrates the importance of getting the Risk Com-
mittee right. If not done the right way, such a committee will continue in old tracks
and look at risks in a silo fashion. Attendance will be low and the committee’s utter-
ances will carry little weight. If done right, however, it will develop into an effective
www.it-ebooks.info

http://www.it-ebooks.info/

68 Implementing Enterprise Risk Management
ERM champion whose recommendations are widely respected and translated into
action.
The Statoil Risk Committee today is indeed a guardian of Statoil’s best inter-
ests in matters related to risk. It effectively functions as an ERM filter in which
difficult questions are voiced and resolved. Policies that were earlier set in isola-
tion in a particular department now have to pass through the Risk Committee. For
example, Statoil’s FX policy is prepared by the finance department, but needs to
be thoroughly discussed and supported in the Risk Committee.
A useful example of the committee’s role in resolving issues related to total
risk optimization comes from the process of setting performance KPIs and score-
cards for business units (as discussed earlier). Wrongly formulated targets are
seen as a threat to total risk optimization, because they may encourage a behav-
ior that runs counter to this goal. The Risk Committee counteracts such ten-
dencies by checking if a particular target makes sense and is compatible with
Statoil’s overall best interests, a loop that in Statoil is referred to as “pressure test-
ing” the targets.
What accounts for Statoil’s success in turning the Risk Committee into an ERM
champion? The importance of having the unwavering support of key individuals
in the executive team cannot be overstated here. Moreover, setting up an interest-
ing agenda with a certain content of education (especially in the early days of the
program) seems to have been a key success factor for the Statoil Risk Committee.
The Statoil experience also shows that the committee should remain a specialist
forum, and that one should stay away from attempts to integrate it with top man-
agement. Ultimately the Risk Committee needs to remain an advisory body, not an
executive one, though it needs to carry enough status to be seen as the real arbiter
on risk-related issues in the company.
RISK AGGREGATION
Developing risk maps and assembling the risk register produces a lot of informa-
tion about risks, in qualitative as well as in quantitative terms. The simple fact that
these processes are in place provides some reassurance that the risks are recog-
nized and given proper attention. This is a goal in and of itself.
While in many ways essential to an ERM program, risk maps are largely static
devices that don’t allow codependencies between risks to be taken into account
in any meaningful way. As a straightforward example, consider the relationship
between the oil price and the USD/NOK exchange rate. Given the oil depen-
dency of the Norwegian economy, this exchange rate tends to be sensitive to the
price of oil, which is quoted in USD. Over the decades, this has provided Norwe-
gian oil companies with a natural hedge: A lower oil price tends to weaken the
Norwegian krone, as less oil revenue needs to be converted into NOK. Such
dynamic relationships are hard to capture in a risk map, yet they are highly rel-
evant to the risk management strategies of these companies.
Nor do the risk maps easily translate into an overall estimate of the uncertainty
in the firm’s future performance, as expressed through financial bottom lines such
as earnings, liquidity, or balance sheet ratios. These shortcomings of the risk maps
bring us to the fourth task facing the executives responsible for an ERM program:
aggregating the firm’s portfolio of risks into some indicator, or metric, that can
www.it-ebooks.info

http://www.it-ebooks.info/

VALUE AND RISK 69
guide the company’s executive team (and board of directors) in matters related to
the firm’s overall risk profile.
Alviniussen and Jankensgård (2009) argue that most ERM programs today are
detached from the analytical work of predicting and managing the firm’s financial
position. Not taking into account the firm’s financial situation means that, despite
the ERM effort to identify and quantify risks, an estimate of aggregate risk con-
tinues to elude companies implementing ERM. In the enterprise risk budgeting
(ERB) approach proposed by these authors, the risk register is integrated with the
firm’s financial planning process to generate risk-adjusted forecasts of important
enterprise-level indicators of performance and financial health.
To address the concerns voiced in the previous paragraph, companies need to
take a more analytical and quantitative approach to risk management. In practical
terms this implies building a model that combines the company’s many different
risks into a probability distribution for some bottom line considered important,
such as earnings or its debt-to-assets ratio. From such a probability distribution,
summary risk statistics can be obtained—for example, the loss in earnings associ-
ated with a certain probability (this measure is known as earnings at risk). Gen-
erally, this approach requires some form of simulation methodology (e.g., Monte
Carlo simulation).
Statoil’s corporate risk model, briefly introduced earlier in this chapter, is
based on these principles. It contains a sophisticated methodology for estimating
the amount of variability in the firm’s main risk exposures, based on historical time
series, as well as estimates of the tendency of these risks to co-vary. It lets the user
select an output from a list and, within a few minutes’ time, obtain a probability
distribution for this variable. Moreover, the user can learn what the probability dis-
tribution would look like under an alternative course of action. For example, the
model allows the user to overlay the probability distribution for net income with
a second distribution that takes into account a certain risk management strategy
(e.g., buying put options covering a certain fraction of the company’s net exposure
to the oil price). Such an overlay is illustrated in Exhibit 4.3.
Statoil’s risk model allows the company to produce a probability distribution
for various financial parameters considered important, such as earnings or return
on assets employed. The obtained probability distribution can be used to derive
summary risk statistics of the company’s overall risk. In this graph, the base case
outcome distribution (the darker line) for net income is compared with what it
would look like if the company implemented a large-scale hedge of the oil price
(the lighter line). The values of net income on the x-axis have been deliberately
hidden. The vertical dashed line represents the value of net income associated with
the 5th percentile of the probability distribution, a measure commonly referred to
as net income at risk (or earnings at risk).
THE FRONTIERS
Part of the philosophy of ERM in Statoil is never to lean back and consider the job
done. While the progress in achieving the necessary buy-in for new approaches is
gradual and sometimes slow, the frontiers are pushed ever forward. Decision mak-
ers around the company need to have their worldviews challenged, as the thinking
goes, and to be provoked into new ways of looking at things.
www.it-ebooks.info

http://www.it-ebooks.info/

70 Implementing Enterprise Risk Management
0
0.005
0.01
0.015
0.02
0.025
0.03
Statoil Portfolio with Oil Hedge
Fr
eq
ue
nc
y
of
O
cc
ur
re
nc
e
(%
)
Exhibit 4.3 Comparing Different Risk Profiles
One area where work is currently being done is giving the concept of risk
appetite a content that is meaningful to Statoil. Risk appetite is commonly con-
strued as the amount of risk exposure a company is willing to retain in order to pur-
sue the upside potential it considers appropriate and desirable. True to its tradition
of quantifying risk, Statoil frames risk appetite in terms of several quantitative risk
measures. The variable, return on capital employed (ROCE), is one of the perfor-
mance indicators that Statoil considers useful in this regard since it sums up the net
effect of a large number of risk exposures. Risk appetite in Statoil is about formulat-
ing, for a given upside, how large of a potential shortfall, or tail risk, Statoil is will-
ing to accept in terms of a particular performance indicator; see Jankensgård (2010)
for a discussion about constructing shortfall risk measures in an ERM context.
Another area where Statoil is pushing the frontiers concerns the relationship
between ERM and strategy. As part of this project, the ERM team has developed
estimates of how different strategic paths would contribute to different risk cate-
gories, such as reservoir risk, implementation risk, market risk, or risks related to
health, safety, and environment. Depending on which strategic path is considered,
the composition of the company’s overall portfolio of risk would gradually shift in
a particular direction (see Exhibit 4.4). This initiative is about clarifying the nature
of this impact and making senior decision makers aware of the consequences of
their strategic decisions.
This graph illustrates how different strategic paths would, if implemented by
management and the board of directors, impact the overall composition of Statoil’s
portfolio of risks. Each bar represents a strategic path, and the shadings indicate
the relative importance of different types of risk (country risk, market risk, imple-
mentation risk, and so on). The y-axis shows the expected risk (probability/impact)
www.it-ebooks.info

http://www.it-ebooks.info/

VALUE AND RISK 71
Risk Specifications—Segments
Impl. Impl.Impl.Impl.Impl. Impl.
Impl.
Impl.
Market MarketMarket
Market
Market
Market
Market
Market
Coun.
Coun. Coun.
Coun.
Coun.Coun.
Coun.
Coun.
HSE
HSE
HSE
HSE
HSE
HSE
HSE
Impl.
Impl. Impl.
Impl. Impl.
Impl.Impl.
Impl.
Market
Market Market
Market Market
MarketMarket
Market
Coun.
Coun.
Coun.
Coun.
Coun.
Coun.Coun.
Coun.
HSE
–300
–250
–200
–150
–100
–50
0
50
100
150
200
Strategic path 8Strategic path 7Strategic path 6Strategic path 5Strategic path 4Strategic path 3Strategic path 2Strategic path 1
R
is
k
F
ig
ur
e
in
U
S
D
M
ill
io
n
Strategic Paths
Exhibit 4.4 ERM and Strategic Risk
associated with each strategic path on both the upside and the downside. Note that
certain risk categories appear on both the upside and the downside, and that these
impacts need not be equally large. This asymmetry is at hand also for market risk,
due to differences in marginal taxation across different income levels for oil compa-
nies. In the final decision making, the risk profile of each strategy path would have
to be compared with the estimated investment outlays and the expected return on
investment (not shown in the graph).
CONCLUSION
In Statoil, understanding and managing risk is today considered a core value of the
company that is written into the corporate directives and widely communicated to
employees. ERM is thoroughly embedded in the organization’s work processes,
and its Risk Committee has managed the transition from a silo mentality to pro-
moting Statoil’s best interests in areas where risk needs to be considered. The com-
pany has introduced the concept of core risks, which are the risk exposures that the
company needs to manage consistently vis-à-vis its investors and which therefore
require central management. In several areas where risk management used to be
pursued in a silo fashion, based on incentives existing locally in the organization,
risk is now optimized from the perspective of the company as a whole. ERM in
www.it-ebooks.info

http://www.it-ebooks.info/

72 Implementing Enterprise Risk Management
Statoil is not a control function aimed at minimizing risk, but dedicated to the goal
of maximizing enterprise value given both downside risk and upside potential.
Achieving these outcomes is by no means trivial, because it challenges the
organizational status quo and forces people to think and act differently with regard
to risk. Statoil’s success in achieving these outcomes is largely explained by the
diligent work of a few key individuals, who consistently over many years have
pursued a risk management program that maximizes the value of the company as
a whole, as well as the strong support of the executive officers and directors. The
ERM program has involved changing people’s attitudes toward risk, and making
Statoil’s enterprise value the metric that people are ultimately expected to pursue.
It has also involved thoughtfully changing the performance evaluation systems in
ways that address the potential conflicts of interest that result from centralizing
risk management.
QUESTIONS
1. Why might it be in a firm’s best interest to centralize the management of some risks but
not others?
2. Describe why the organizational status quo might lead to resistance to ERM implemen-
tation. How can this potential resistance be overcome?
3. How do you succeed in making sure that the risk committee really turns into an ERM
champion, as opposed to continuing in a silo mentality?
4. What are the costs and benefits of integrating the ERM risk register in the firm’s financial
model to obtain “risk-adjusted” financial forecasts?
5. What are the key financial risk factors that a company could encounter?
6. What should limit Statoil’s capacity to invest in profitable new oil projects, that is, take
on new risks?
7. For which risk factors would it be advisable to use Monte Carlo simulation to quantify
the distribution of outcome?
8. In what cases would it be relevant for an oil company to consider effects of correlation
between risk factors in quantifying risk?
NOTES
1. This is not to suggest that internal audit has been excluded from the ERM process. On
the contrary, internal audit has been strongly supportive of ERM and has contributed
valuable resources to it.
2. This is underscored by the fact that the risks related to health, safety, and environment
are the responsibility of a separate corporate function (Corporate Safety).
3. Statoil’s internal communication puts it this way: “We live by taking risks.”
4. The term satisfice was introduced by the American researcher and Nobel laureate Herbert
Simon in 1956. It refers to a decision-making strategy that seeks to achieve an acceptable
outcome, as opposed to the optimal outcome, which requires expending more time and
effort.
5. Statoil’s shares were simultaneously listed on the New York Stock Exchange.
6. The quarterly review meetings are occasions in which top management meets with busi-
ness areas to discuss the unit’s performance vis-à-vis previously agreed targets. This
refers to the unit’s overall financial performance as well as specific key performance
www.it-ebooks.info

http://www.it-ebooks.info/

VALUE AND RISK 73
indicators. Risk is therefore only one of several issues on the agenda for these quarterly
reviews.
REFERENCES
Alviniussen, A., and H. Jankensgård. 2009. “Enterprise Risk Budgeting: Bringing Risk Man-
agement into the Financial Planning Process.” Journal of Applied Finance 19, 178–192.
COSO. 2004. Enterprise Risk Management—Integrated Framework. New York: Committee of
Sponsoring Organizations of the Treadway Commission.
Jankensgård, H. 2010. “Measuring Corporate Liquidity Risk.” Journal of Applied Corporate
Finance 22, 103–109.
Jankensgård, H. 2013. “Does Centralization of FX Derivative Usage Impact Firm Value?”
European Financial Management, forthcoming.
Jankensgård, H., K. Hoffman, and D. Rahmat. 2013. “Derivative Usage, Risk Disclosure, and
Firm Value.” Financial Management Association Europe Conference Paper.
ABOUT THE CONTRIBUTORS
Alf Alviniussen is former Group Treasurer and Senior Vice President of Norsk
Hydro ASA, Oslo, Norway. After 42 years in the company holding leading posi-
tions within the group treasury and corporate finance, including responsibility for
risk management and financial planning, he is now acting as an independent con-
sultant.
Håkan Jankensgård holds a PhD in risk management from Lund University,
Sweden. He is the former risk manager of Norsk Hydro and has more than 10 years’
experience in advising companies on their risk management strategies. He is cur-
rently a researcher in corporate finance at the Department of Business Administra-
tion and Knut Wicksell Centre for Financial Studies, Lund University.
www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 5
ERM in Practice at the
University of California
Health System
GRACE CRICKETTE
Senior Vice President and Chief Risk and Compliance Officer, AAA Northern
California, Nevada, and Utah; former Chief Risk Officer, University of California
The University of California’s Health System is comprised of numerous clini-cal operations, including five medical centers that support the clinical teach-ing programs of the university’s medical and health sciences schools and
handle more than three million patient visits each year. The medical centers pro-
vide a full range of health care services in their communities and are sites for the
development and testing of new diagnostic and therapeutic techniques. Collec-
tively, these centers comprise one of the largest health care systems in the world.
The University of California Office of the President’s Office of Risk Services is
responsible for developing and implementing enterprise risk management (ERM)
systemwide, identifying and developing strategies to minimize the impact of risk,
developing a center of excellence for managing risk, reducing costs, and improving
safety by executing new ideas and strategic plans in a rapid manner in support of
the university’s mission of teaching, research, public service, and patient care.
THE ENTERPRISE RISK MANAGEMENT PROGRAM
The University of California (UC) System began an ERM initiative as a natural
progression of making the decision to adopt the Committee of Sponsoring Organi-
zations (COSO) Internal Control—Integrated Framework in 1995, and in that same
year UC’s vice chancellors for business and finance accepted an internal audit rec-
ommendation to adopt COSO as the Internal Control Integrated Framework for the
university. In 2004, COSO’s inclusion of enterprise risk management into its model
led to the hiring of a chief risk officer (CRO) tasked with implanting enterprise risk
management.
The chief risk officer, who had previously implemented ERM for a publicly
traded company, set out to learn about the operations and culture of the university
and identify what ERM activities were already in place and where there were gaps,
and what would be the best approach for implementing ERM. Visits were made
75
www.it-ebooks.info

http://www.it-ebooks.info/

76 Implementing Enterprise Risk Management
to all of the campuses and medical centers, and leaders from various departments
and disciplines were gathered together and asked: How do you know if you are doing
well? What data do you have to let you know how you are doing? Leadership clearly was
able to articulate their objectives and the risks that could impact those objectives,
but the data for measuring and monitoring were not timely and were primarily ad
hoc, annual, and manual. The information gathered through these meetings was
critical for understanding and developing the key performance indicators (KPIs)
that would later become an important component of the ERM program. (See What
Is a KPI?)
What Is a KPI?
Generally, strategic or operating plans will identify the critical success factors
and key goals of an organization. Critical success factors are the areas that the
organization must focus on and do well in to satisfy customer/client needs.
An example may be “meeting client expectations.” KPIs are derived from crit-
ical success factors and define these critical success factors into more meaning-
ful criteria. For example, the critical success factor of “improve productivity”
might have KPIs such as cost, service quality, cycle time, streamlining of pro-
cesses, and reduced duplication and/or rework.
How often can KPIs be updated?
KPIs can be updated as frequently as the data they are drawn from is updated.
Some examples:
Claims information, daily
Payroll information, monthly
Construction scheduling, quarterly
How is improvement measured with KPIs?
Improvement is measured by looking at ratios between time periods relative
to risk. For example, in the area of workers’ compensation:
Recordable rate = Number of injuries relative to the hours worked
Next, an ERM panel was formed to develop an ERM strategy. The ERM
panel included management representatives from the Office of the President, the
campuses, and the health system. The CRO along with the ERM panel recognized
that, given the complexity of the university’s operations and the general decen-
tralization of services and information, technology would need to be leveraged to
identify, manage, and monitor risks. The overall strategy was to develop a data
warehouse that could manage information already being collected by various
groups, existing programs, and initiatives throughout the system—an enterprise
risk management information system (ERMIS). Once consolidated in a single
www.it-ebooks.info

http://www.it-ebooks.info/

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 77
location, the data could then be used to analyze processes, risks, and controls
systemwide.
As the ERMIS was being developed, the CRO commissioned a cost of risk
study to be able to measure and monitor success of the ERM program. The first
Risk Summit was held with more than 100 attendees, and the charge was given
to the attendees to reduce the cost of risk by 16 percent in 24 months. How? At
the summit the program Be Smart about Safety (BSAS) was launched, which was
the first of many initiatives focused on preventing and managing risk. The uni-
versity not only met this charge, but exceeded it by meeting the target in only
18 months.
Leveraging Technology to Support ERM
UC continues to develop the ERM information system (ERMIS), a flexible and
dynamic system, to give campus stakeholders at multiple levels the information
they need to make business decisions in a timely and effective manner. The ERMIS
essentially “democratizes” information, in that it has the ability to provide key data
and reports to personnel at all levels and locations of the university. As the data
integrated has become richer and its use more widespread, the value of the ERMIS
has grown in creative ways.
The ERMIS started with simple risk assessment tools and expanded to include:
� Dashboard reporting on major areas of risk
� Control and accountability tracking platform
� Risk mitigation and monitoring tools
� Survey capabilities
All of these tools can be used independently or interdependently, allowing for:
� Better quantitative analysis capabilities
� Improved analytical and reporting capabilities
� Support for leading risk governance and compliance processes
� Systemwide visibility, with local flexibility
� Scalability without additional burden on UC staff
While the ERMIS dashboard system is prepopulated with some KPIs, UC con-
tinues to work with each location to develop KPIs that are helpful to supporting
the location’s own initiatives. ERM groups find the ERMIS to be an important tool
for identifying and understanding risks. The system will also support the monitor-
ing of internal controls and accountability, providing valuable information to the
controllers and internal auditors. These capabilities lower the overall cost of risk
(oftentimes associated with day-to-day operations) across the institution.
The creation of automated reports within the ERMIS increases workforce effi-
ciency. Redundancy is reduced by the creation of automated reports made read-
ily available to those with a need to know. Instead of having the same or similar
reports being developed and maintained without the benefit of shared knowledge
at different divisions, departments, schools, campuses, medical centers, and other
www.it-ebooks.info

http://www.it-ebooks.info/

78 Implementing Enterprise Risk Management
ERM Process
Monitor Risk Control and Mitigation
Report to Management
Quantify Risks
Identify Risks
Audit Risks
Risk Management
Summary Reporting
High-Level
Stakeholders
Define Analyze Control/Monitor Evaluate
Exhibit 5.1 ERM Process
locations, the ERMIS enables sharing of analyses and information easily and effi-
ciently across multiple different locations. (See Exhibits 5.1 and 5.2.)
Creating a Risk-Aware Culture
The foundation of the University of California’s enterprise risk management pro-
gram is to have people actively manage their various risks—everyone is a risk man-
ager! One key to creating a culture where everyone is a risk manager is to give them
tools that meet their specific needs. That means developing different tools, work
groups, and initiatives, but delivering them in a cohesive and integrated manner.
Also, how can we create personal ownership for identifying, managing, and moni-
toring risk? A group of forward-thinking people at UC Davis came up with a solu-
tion, and the My Managed Risk portal was born!
The My Managed Risk (MMR) portal was designed as an entry point to the
services and resources provided by the Office of Risk Services. It serves as a cen-
tralized location for authorized users to access enterprise risk management–related
tools and information. The portal allows users direct access to their authorized
ERM applications, as well as the ability to view content related to the ERM Solu-
tion Set, and at the same time to stay informed of up-to-date news and articles
directly related to enterprise risk management. The streamlined design also pro-
vides an efficient way for users to search within the MMR portal in order to retrieve
contents of interest quickly. (See Exhibit 5.3.)
Health System Specialized Programs
The UC Health System participates in and benefits from all of the tools and pro-
grams that come under the umbrella of ERM, but, in keeping with delivering the
right tools to the right people, UC continues to develop programs specific to health
care.
www.it-ebooks.info

http://www.it-ebooks.info/

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 79
Exhibit 5.2 ERMIS Dashboard Samples
Dashboard Name Description
CFO Division AIM:
Actionable Information
for Managers
Promote positive administrative behavior at the campus level via
campus-by-campus comparisons. Results are indicative of
business/operational performance and are within Chancellor’s
realm of control.
Financial Accounting Count of hand-postings, direct deposits, electronic W-2 and
payments, CFR reports, and percentage of transaction not
cleared.
Financial Services and
Controls
Connexxus participation, travel spend, and savings. Purchase card
expenditures, administrative efficiency, and incentives.
Procurement Services Systemwide procurement savings, procurement spend under
management, and percentage of transactions processed
electronically by location.
External Finance, UC
Bond Debt
Provides visibility and trending on UC bond debt by location.
Medical Quality Extends medical quality reporting data to support risk
management activities.
Travel Incidents, Calls,
Claims
To correlate and report data from all travel insurance and travel
agencies for UC students and staff traveling throughout the
United States and world (anticipated).
UCSF PD Early Warning
System Report
Provides UCSF PD leadership the ability to track and identify
patterns of multiple staff complaints/investigations/incidents.
UC Travel Dashboard—
Connexxus
Tracks campus adoption of the Connexxus travel system and
actual savings for campuses that utilize Connexxus.
Waste Diversion Contains results of the annual waste diversion campus survey.
Allows for comparison of recycling/waste diversion between
campuses.
Human Capital
Dashboard
Provides human resources–related correlations by department
and reason description by utilizing enrollment, FTEs, head
count, hours, EPL claims, employee separation/retirement,
OSHA rates, and harassment prevention training.
Safety Index Dashboard Provides safety-related loss and exposure correlations by
department and cause description by utilizing the following
elements: WC claims, FTEs, hours, head count, vehicles, GL,
student population, acres, property losses, and OSHA rates.
Safety Index ROI
Enhancements
Illustrates the direct and indirect costs of safety risks at UC
locations and enterprise-wide.
UC Ready Provides mission (business) continuity plan completion counts for
all locations at the department level.
UC Ready
Department-Level
Enhancements
Systemwide continuity plan completion and activity metrics at
department level.
Reputational Risk (CDPH) Provides aggregated counts and trends for medical center–related
complaints and penalties as reported by California Department
of Public Health.
Reputational Risk (OSHA
Cube)
Allows visibility in OSHA claims against UC locations that may
cause reputational risk to UC.
Office of General Counsel
(OGC)
Provides visibility to legal cost by locations.
Medical Center Provides Medical Center loss and exposure trends and
correlations.
Medical Center PL Cube Provides users the ability to create ad hoc reports utilizing selected
Medical Center claims data.
www.it-ebooks.info

http://www.it-ebooks.info/

80 Implementing Enterprise Risk Management
Exhibit 5.3 UC My Managed Risk Portal
Integrating Traditional Risk Management into ERM
Are traditional risk management and ERM two separate programs, concepts, and
disciplines? The short answer is “No.” Rather, the traditional risk management
practices are critical components that make up the ERM portfolio. To get at the
big enterprise picture for incidents, events, and claims arising out of the medical
centers and hospitals, UC developed an approach to the evaluation of medical inci-
dents, events, and claims. (See Exhibit 5.4.)
Trending, monitoring, and reporting of adverse clinical events and their root
cause(s) are done as part of ERM:
� Each University of California Medical Center uses a web-based clinical inci-
dent reporting system that permits any staff member to report an event or
near miss. The university medical centers are moving to a commercial inci-
dent reporting platform that will be consistent across all facilities and permit
comparison reporting.
� Each of the UC medical centers has individuals (category managers) who are
responsible for the monitoring and evaluation of certain types of events and
taking action on them. The Office of Risk Services has access to this system
and receives notice of significant events through the system.
� Trend reports are prepared for facility patient safety and quality commit-
tees and forwarded through the facility committee structure to the facility
governing body—typically the dean of the School of Medicine.
� Adverse event incidents are monitored, and serious events that may require
reporting to the state are reviewed weekly; any that are sentinel events result
in a root cause analysis.
www.it-ebooks.info

http://www.it-ebooks.info/

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 81
Incident
(Includes Near Misses)
Incident reporting system
captures identified event
or near miss
Directed to Category Manager
Trend Reports developed by
location Quality or Risk
Metrics & Benchmarks
Trend reports provided to
Location Quality & Safety
Committee
Trend reports are forwarded to
the location Executive Committee
of the Medical Staff
Trend Reports provided to
Governing Body
Adverse Event
Adverse Event directed to
Category Manager/
Quality & Risk*
Serious Events identifed and
reviewed by weekly Quality of
Care Steering Committee
Sentinel Event/Root Cause
Analysis
Metrics & Benchmarks
Trend reports provided
to location Quality &
Safety Committee
Trends reports are forwarded to
the location Executive Committee
of the Medical Staff
Trend reports provided to
Governing Body
Claim/Lawsuit
Directed to Local Risk Manager,
Claims Adjuster, OGC and OPRS
Case reviewed by facility Risk
Committee for quality of care
issues
Corrective Action is reported to
Board of Regents as part of
request for settlement
Retrospective
Reviews/UC Action
Exhibit 5.4 UC’s Enterprise Risk Management Approach to the Evaluation of Incidents,
Events, and Claims
∗Serious events are identified and reported to location Quality of Care Steering Committee for review.
This committee is multidisciplinary and includes key individuals of the Quality & Safety Committee
(e.g., the chief medical officer, other physician staff members, the chief nursing officer, legal, quality,
risk, and compliance).
� In addition, the medical centers measure and review data on a number of
metrics from patient complaints to infection rates, patient falls, and so on.
� Hospital-level data is compared with national benchmarks, United Health-
care (UHC) data, and so on.
Individual adverse events may result in claims and lawsuits:
� Risk Services manages the Third Party Claims Administrator to ensure that
the claims are promptly investigated and appropriately resolved. As part
of this process, Risk Services monitors the Third Party Administrator (TPA)
performance against developed performance expectations.
� Risk Services in conjunction with the Office of General Counsel (OGC) and
medical center risk management staff collaborate to ensure that the cases are
well managed throughout the claims and litigation process. A select panel
of defense attorneys is assigned cases.
� Risk Services through Legalbill monitors law firm billing compliance with
university guidelines to ensure that the university benefits from a cost-
efficient and cost-effective legal defense.
www.it-ebooks.info

http://www.it-ebooks.info/

82 Implementing Enterprise Risk Management
� Medical Staff Risk Management Committee at each facility reviews claims
and lawsuits and makes evaluations regarding the quality of care and cor-
rective action that is needed internally; the committee monitors the action
through to resolution by the responsible departments. The Risk Services
director attends the committee meetings at the locations periodically.
� There are also facilities (allocation committees) that review settled claims
and lawsuits and attribute responsibility to individual practitioners or to
system issues. If individuals are identified as responsible, they are reported
to the external state licensing boards. Risk Services and OGC are responsi-
ble to ensure that cases are appropriately reported to both the state licensing
boards and the federal National Practitioner Data Bank, and work with the
locations to advise them on reporting. Both the Risk Services director and
an OGC representative participate with a facility medical director to review
the reporting recommendations of the local facility.
� If cases result in costs to the university, inclusive of defense and indemnity,
each location has to identify the risk issues involved and the corrective action
taken or planned; this action is reviewed by the Risk Services professional
liability (PL) program director and the CRO; for cases of certain value, the
actions are also reviewed by the senior vice president for health sciences and
service.
� Additionally, the General Counsel and the Board of Regents review the cor-
rective action that is reported.
� In addition, Risk Services has developed and implemented a monitoring sys-
tem to ensure that corrective actions on cases costing the university more
than $50,000 are tracked through resolution through the UC Action process.
UC Action is a software tool that permits the capture of events, the causes of
loss, and the corrective action that was implemented across the UC System. It
permits the assignment of controls to ensure that loss prevention actions are
implemented and monitored to avoid recurrence of identified issues. Devel-
oped in conjunction with UC Davis, this tool supports the Risk Services and
campus loss prevention efforts. All Risk Services program managers period-
ically review and assess the actions being taken for appropriateness.
The role and activities of UC’s Risk Services in adverse event clinical audit
(quality assurance) include the following:
� The Risk Services director for professional liability manages the systemwide
incident report (IR) system and receives reports of certain types of events via
e-mail as well as being able to evaluate trend reports.
� The Risk Services director periodically provides reports of individual events
and trends to the facility chief medical directors at their systemwide meet-
ings. In addition, each medical director typically brings events to discuss to
these meetings so that locations can learn from each other.
� In addition to the IR system, the Risk Services director is often called by
the facility risk managers and alerted to serious events. The Risk Services
director also serves as a resource for questions from the facilities.
� The Risk Services PL director implemented a program to ensure that all
of the university’s claims and lawsuits are coded for loss prevention and
www.it-ebooks.info

http://www.it-ebooks.info/

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 83
trended. This was accomplished through using the Controlled Risk Insur-
ance Company (CRICO1) Comprehensive Risk Intelligence Tool (CRIT).
This program permits the university to identify the areas of greatest fre-
quency and cost and the underlying contributing factors in a reliable man-
ner. The university facilities have access to the system and are able to com-
pare their trends against the other UC system and non-UC entities.
� The Risk Services director hosts monthly conference calls with medical cen-
ter risk management staff to discuss matters of interest and loss prevention
opportunities.
� Risk Services funds loss prevention activities for the medical centers and
student health facilities targeted at reducing university liability. Examples
include the prescription rebate program, which provided grant funds for
loss prevention activities; ELM Exchange,2 which provides online risk edu-
cation; EMMI Solutions information consent program, which helps ensure
patient understanding of their clinical options to improve satisfaction; the
Vanderbilt Patient Advocacy Reporting System (PARS) to identify and assist
physicians who are outliers in terms of patient complaints; disclosure edu-
cation; and operating room technology aimed at reducing retained foreign
bodies.
� In addition, the senior vice president for health sciences and services collects
and reviews data from multiple sources regarding hospital performance in
clinical areas other than adverse clinical events.
� UC Action summary reports regarding corrective action are shared with the
Regents on high-dollar-value litigated cases in the form of reports from the
Office of General Counsel.
PREMIUM REBATE PROGRAM
In addition to the tools developed to assess risk and report on KPIs, the Office
of the President’s Office of Risk Services has developed programs to reduce the
frequency and severity of loss. For the Medical and Hospital Liability Program,
Risk Services developed a Premium Rebate Program in 2006–2012 that was known
as the Professional Liability Prescription Program (PLPP), designed to encourage
risk reduction initiatives aimed at reducing the cost of risk for the hospitals and
schools of medicine. The program encouraged clinical loss prevention and patient
safety and rewarded hospitals and medical groups for developing and implement-
ing specific initiatives. PLPP is a good example of propagating the concept that
everyone is a risk manager. It put loss control in the hands of individuals responsi-
ble for the outcomes. It gave them the financial resources and incentives to make
a difference. There were several parts to the PLPP (see Exhibit 5.5).
The University of California (UC) Professional Medical and Hospital Liability
Program (PL) is the second largest component of UC’s cost of risk. In 2012, the Chief
Risk Officer believed there was a need for more ERM focus on the university’s five
medical centers and began exploring ways to make this happen.
University of California Center for Health Quality and Innovation (CHQI)
had established a system to encourage initiatives designed to create a culture of
improvement with the support of the CHQI board, comprised of the five academic
medical center CEOs, the six deans of the Schools of Medicine, and chaired by
www.it-ebooks.info

http://www.it-ebooks.info/

84 Implementing Enterprise Risk Management
Exhibit 5.5 Professional Liability Prescription
Program (PLPP)
Grant Funds for Locally Developed Loss Prevention
Initiative—Maximum Rebate 2 Percent of Premium
Requests for the 2 percent grant funds may be made at any time during the
fiscal year; however, locations are encouraged to submit early.
Medical Center Risk Management offices are expected to coordinate the
applications. Each project submitted for the grant funds must have both School
of Medicine and a Medical Center approval if applicable. Multiple requests per
site are permitted until the 2 percent is exhausted. Once the funding applica-
tion is approved by Risk Services, the funds will be transferred to the campus
account. The campus must transfer to the appropriate local code. The funds
must be used for the approved project; failure to apply the funds to the project
will result in recoupment of the funds by Risk Services. Projects will be moni-
tored by Risk Services.
Medical Center and School Departments Allocation
of Premium—Maximum Rebate 4 Percent of Premium
Allocation of premium based on loss experience and exposure is a critical
underpinning of a successful loss prevention program. To qualify for this
rebate, each School of Medicine and Medical Center must implement allocation
to departments using the Bickmore approved methodology. Half of the pre-
mium will go to School of Medicine for its allocation to departments and half
will go to Medical Centers for allocation of premium among its departments.
Criteria:
Ensuring the location organization structure for premium allocation is current
and appropriate.
Reviewing and categorizing all historical and current malpractice cases to loca-
tion identified Schools and Medical Centers and then to departments and
divisions within each, entering the data into the Sedgwick CMS claims sys-
tem on a continuous basis.
Selecting and applying an allocation model from Bickmore recommendations
to the fiscal year 2011–2012 budget.
A written report, signed by the Dean and CEO of the Medical Center attest-
ing to the methodology employed and the amounts paid by the various
departments, is required.
Adoption and Implementation of EMMI—Maximum
Rebate 2 Percent of Premium
Qualification for this rebate will require adoption and substantial implemen-
tation of EMMI by the individual locations during fiscal year 2011–2012. The
www.it-ebooks.info

http://www.it-ebooks.info/

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 85
amount of the rebate will be dependent on the degree of adoption of use as
measured by EMMI data.
Use of Technology to Prevent Retained Surgical
Sponges—Maximum Rebate 2 Percent of Premium
Human error in the counting process is a significant cause of retained sponges.
Technical solutions such as Surgicount provide a reliable method to assure
a valid sponge count. Reducing retained sponges through reliable technol-
ogy contributes to improved patient safety, enhances hospital reputation, and
avoids regulatory and legal expenses.
the University’s Senior Vice President of Health Sciences & Services, with a small
coordinating staff based at the UC Office of the President, Oakland.
ERM AND THE CENTER FOR HEALTH QUALITY
AND INNOVATION
In January 2013, the chief risk officer for the University of California and the
executive director for the UC Center for Health Quality and Innovation (CHQI)
announced a new joint venture. The new joint venture—the Center for Health
Quality and Innovation Quality Enterprise Risk Management (CHQIQERM)—will
award up to $8 million in grants for projects designed to reduce the risk of clinical
harm to UC surgery patients in three priority areas:
1. Development of enterprise risk management (ERM) within the Schools of
Medicine and medical centers. This includes projects that are aimed at clin-
ical improvements involving multiple departments and divisions.
2. Projects aimed at reducing medical malpractice claims. These projects
should take into consideration issues creating the highest frequency and
severity of malpractice claims within the university facilities. Claims data
identifying these areas of exposure will be provided. Projects will be eval-
uated based on transferability and sustainability. Ability to demonstrate a
return on investment will also be considered.
3. Projects aimed at improving patient safety, quality, and efficiency within
the University of California medical centers.
The joint venture seeks to fund projects by UC Health faculty and staff that use
an evidence-based, systems approach to minimize the risk of clinical harm to UC
patients. UC’s actuary will continue to evaluate the return on investment (ROI) of
the projects and include evaluation of these loss prevention efforts in its actuarial
study as it has in the past.
Funding is available to UC faculty and staff intending to engage in perfor-
mance improvement activities at UC-owned and UC-operated medical centers.
Individual projects are capped at $250,000 per academic medical center site. A five-
campus project may be awarded up to $1.25 million.
www.it-ebooks.info

http://www.it-ebooks.info/

86 Implementing Enterprise Risk Management
“We’re thrilled to partner with Risk Services,” said Terry Leach, executive
director of the UC Center for Health Quality and Innovation. “This collaboration
will help leverage the talent of UC Health’s faculty and staff to improve patient
safety at UC medical centers.”3
After an initial campus review, top-scored selections will receive a second
round of review by the CHQIQERM Risk Advisory Committee in conjunction
with the CHQI Operations Committee, with final selection by the CHQI board.
Five-campus multisite proposals will automatically advance to receive a review
by CHQIQERM.
The CHQIQERM will provide selected Project performance improvements
(PIs), within three months of approval, a schedule to present their projects to var-
ious multicampus groups responsible for quality improvement and/or reduction
of patient harm throughout UC, including the CHQI Operations Committee, the
chief medical officer (CMO) and chief nursing officer (CNO) group, the UC qual-
ity officers, infection control officers, pharmacy chairs, CEOs, and so on. Presen-
tations are designed to provide individuals responsible for integration of perfor-
mance improvement projects throughout UC the opportunity to learn more about
the funded projects, and to provide consultation for design modification, as appro-
priate, to increase support and acceptance of the funded projects.
By January 1, 2014, if project funds remain or if Risk Services provides addi-
tional resources, CHQIQERM will disseminate a second round of requests for pro-
posals (RFPs), and will provide review and management pursuant to the previous
year’s round of funding, with projects to be completed by June 30, 2015, unless a
project continuation agreement has been negotiated and agreed upon by all par-
ties, including the CHQI board.
PROTECTED HEALTH INFORMATION VALUE
ESTIMATOR (PHIve)
The chief risk officer was invited to serve on an American National Standards Insti-
tute (ANSI) work group. The goal of the work group was to develop and publish
a guide to bring attention to the risks associated with personal health information
(PHI). When hospitals and medical centers perform risk assessments, they often
fail to consider the magnitude of the disruption and reputational damage from a
loss of personal health information.
Following participation in the work group, UC asked Bickmore
(www.bickmore.net) to develop an electronic software tool for the Protected
Health Information Value Estimator (PHIve). The methodology used in PHIve
is described in greater detail with examples in the American National Standards
Institute (ANSI) publication, “The Financial Impact of Breached Protected Health
Information.” ANSI’s publication is available at the ANSI website.4
The PHIve applies a practical methodology for protected personal health
information to calculate the potential (or actual) cost of a data breach to their
organization. The purpose of this exciting new tool is to help PHI protectors
understand the financial impact of a PHI breach so they can evaluate and rec-
ommend the appropriate investments necessary to mitigate the risk of a data
breach. This helps reduce potential financial exposure while strengthening the
organization’s reputation as a protector of the PHI entrusted to its care.
www.it-ebooks.info

http://www.bickmore.net

http://www.it-ebooks.info/

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 87
The tool will not make decisions for you, but it will help you organize your
thinking as you consider the enterprise risk management implications of a breach
of protected health information.
The five steps in PHIve are:
1. Assess risks.
Assess the risks, vulnerabilities, and applicable safeguards for each PHI
home. A PHI home is any organizational function or space (administrative,
physical, or technical) and/or any application, network, database, or system
(electronic) that creates, maintains, stores, transmits, or disposes of ePHI
or PHI.
2. Security readiness score.
Determine a security readiness score for each PHI home by determining
the likelihood of a data breach based on the security readiness score scale.
3. Determine relevance.
For each PHI home that has an unacceptable security readiness score,
examine the relevance (i.e., likelihood or applicability) of a particular cost
category, and apply a relevance factor from a provided hierarchy.
4. Determine potential repercussions.
Relevance and consequences combined create the potential repercus-
sions of a breach. Consequences are calculated using multiple aspects of a
potential breach based on a variety of considerations for your organization.
Types of repercussions include reputational (loss of patients, current
customers, new customers, strategic partners, or staff), financial (including
costs for remediation, communication, changes to insurance, changing
associates, and business distraction), legal and regulatory, operational, and
clinical.
5. Total the impacts: Add up all adjusted costs to determine the total adjusted
cost of a data breach to the organization.
Relevance and consequences combined create the potential repercussions of a
breach. Consequences are calculated using multiple aspects of a potential breach
based on a variety of considerations for your organization.
Reputational Repercussions
Reputational repercussions of a breach may include:
� Loss of patients
� Loss of current customers
� Loss of new customers
� Loss of strategic partners
� Loss of staff (separate from staff lost due to potential disciplinary action
related to a breach)
The impact of a breach may have greater reputational repercussions if it is
shared through social media or other means that raise further awareness of the
breach.
www.it-ebooks.info

http://www.it-ebooks.info/

88 Implementing Enterprise Risk Management
The demographics of those affected by a breach also change its reputational
impact. Income and age are considerations for health privacy sensitivity, among
other factors.
Financial Repercussions
Financial repercussions are grouped into five segments, each of which may contain
multiple types of financial costs.
1. Cost of remediation may include:
� Investigation or forensic costs
� Corrective action plan costs
� Workforce sanction costs
� Identity theft monitoring costs
2. Costs of communication may include:
� Notifying affected individuals
� Notifying media outlets and notifying governmental agencies
� Public relations costs
� Investor relations
3. Costs of changes to insurance may include:
� Broker costs
� Presenting and negotiating with agencies
� Increased cost of coverage
4. Costs of changing associates may include:
� Due diligence for new vendors
� Transitions to new vendors
� Increased costs of new vendors
5. Costs of business distraction may include:
� Lost productivity
� Opportunity costs
� Diversion of resources
Legal and Regulatory Repercussions
Legal and regulatory repercussions of a breach can be grouped into four areas:
1. Costs associated with actions by the U.S. Department of Health and Human
Services’ Office for Civil Rights (OCR), including:
� Fines and penalties
� Costs of additional corrective action plans
2. State fines and penalties
3. Lawsuit costs, including:
� Legal costs
� Settlement costs
� Additional payments to affected individuals
� Insurance deductibles
4. Costs associated with potential loss of accreditation or reinstatement of
accreditation
www.it-ebooks.info

http://www.it-ebooks.info/

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 89
Operational Repercussions
� Incremental cost of new hires
� Costs of recruiting and training new hires
� Costs associated with reorganization following a breach
Clinical Repercussions
� Fraudulent claims processed
� Delayed or inaccurate diagnoses
� Bad data in search results
Total the Impacts
Add up all adjusted costs to determine the total adjusted cost of a data breach to
the organization.
The pilot PHIve tool was previewed by UC’s medical risk managers for the first
time at the University of California’s 2013 Risk Summit. Bickmore is demonstrating
the tool and seeking comments from the UC medical risk managers before the tool
is released. The tool was demonstrated and comments were sought from the UC
medical risk managers before the tool was released.
ERM and Strategy
Risk is an inherent and essential part of any organization. When properly man-
aged, risk drives growth and opportunity. If enterprise risk management (ERM)
is the process of planning, organizing, leading, and controlling the activities of an
organization in order to minimize the effects of risk on an organization’s capital,
earnings, and operations, then it only makes sense that ERM is seen as a strategic
tool for management.
The past several years have been a financially challenging time for the uni-
versity. Even in the face of those challenges, however, the university has made
significant strides in reducing its risk exposure, thereby allowing the campuses to
focus their limited dollars on the university’s mission of teaching, research, and
service. ERM is seen in the university as a continuous improvement process and
has been integrated into its Working Smarter initiative.5
The Office of Risk Services, as part of the CFO division, has integrated the
Division Strategic Goals6 into our operations:
� Reexamine the day-to-day
� Showcase our value-add
� Engage with the customer
� Develop our staff
� Be action-oriented
The Office of Risk Services continues to reexamine the day-to-day operations,
looking for innovative ways to reduce risk while improving operational efficiency.
It continues to showcase the savings that are generated by implementing ERM, and
www.it-ebooks.info

http://www.it-ebooks.info/

90 Implementing Enterprise Risk Management
continually engages its customers to learn how it can better meet their needs. It not
only focuses on developing its staff, but encourages the professional development
of those at the campuses and medical centers by providing the Risk Summit and
monthly webinars. Finally, the tools and information provided by Risk Services
allow campus and medical center leadership to be action-oriented and to be able
to implement quickly programs that will result in immediate impacts. The guiding
principle in all of the work that Risk Services does is to support the university
mission of teaching, research, and public service, as well as patient care.
QUESTIONS
1. Your Medical Group wants to expand by starting a new venture, owning and operating
a pharmacy. In order to increase the success, you have been asked to perform an enter-
prise risk assessment that includes reputational risk. Give three examples of how start-
ing a new venture might have risk events that could lead to repercussions that would
negatively impact the organizations reputation and three examples where it might be
enhanced, creating opportunity.
2. Explain how improvement is measured with KPIs and give one example related to
Human Capital and how this KPI might help you improve your organization.
3. In the UC example, the ERM Program gives weight to both data-driven activities and
to culture-changing activities. Give two examples of each and then your own opinion
regarding which activities you believe to be most effective in implementing an ERM
program.
4. What do you think is the difference between traditional risk management and enterprise risk
management?
5. From the UC example, identify what aspects of their program were “carrots” and which
ones were “sticks.” From your own experience describe which one you think works best
in creating lasting change.
NOTES
1. CRICO is the patient safety and medical liability company that serves the Harvard Uni-
versity medical community. It is a leader in evidence-based risk management.
2. Education in Legal Medicine.
3. UC Health, January 8, 2013.
4. http://webstore.ansi.org/phi.
5. http://workingsmarter.universityofcalifornia.edu/.
6. www.ucop.edu/finance-office/mission-goals/strategic-goals.html.
ABOUT THE CONTRIBUTOR
Grace Crickette joined AAA Northern California, Nevada, and Utah (NCNU) in
May 2013 as the Senior Vice President and Chief Risk and Compliance Officer. She
was the former Chief Risk Officer at the University of California. In her current
position, she is charged with implementing enterprise risk management (ERM)
with her legal, compliance, risk management, and internal audit team. The Risk
Services team provides internal audit and consultation, legal consultation, quality
assurance and compliance, risk financing and captive solutions, crisis and conse-
quence management, and loss prevention and loss control services. The Risk Ser-
vices team’s ERM vision is to support AAA’s Membership Promise: “We will keep
www.it-ebooks.info

http://webstore.ansi.org/phi

http://workingsmarter.universityofcalifornia.edu/

http://www.ucop.edu/finance-office/mission-goals/strategic-goals.html

http://www.it-ebooks.info/

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 91
you safe and secure—We will offer you the right product at the right time—We will
provide you helpful and knowledgeable service—We will reward your loyalty—
One Member, One AAA.”
Prior to coming to AAA NCNU, Grace served as the University of Califor-
nia’s Chief Risk Officer. Major initiatives for the Risk Services department included
reducing the cost of risk, implementing system and local safety programs, improv-
ing claims management systems, developing risk financing strategies, and imple-
menting enterprise risk management (ERM), and emergency management and
business continuity planning throughout the university.
Grace joined the University of California in December 2004 after 13 years as a
vice president and officer in audit, insurance, safety, and human resources capac-
ities for the equipment and construction industry. She graduated with distinction
from the University of Redlands with a bachelor’s degree in business administra-
tion, and holds a variety of professional designations in the areas of claims, safety,
audit, and human resources, including Associate in Risk Management and Senior
Professional in Human Resources.
In 2008, Grace received the Risk Innovator Award for innovation and excel-
lence in risk management in higher education. She received the Information Secu-
rity Executive (ISE) of the Year West Award 2011 and National Award 2011 for
Higher Education/Non Profit Sector for innovative problem solving related to a
collaborative partnership with the University of California’s chief information offi-
cer and other information technology (IT) professionals, insurance brokers, and
underwriters for securing previously unavailable and much-needed cyber cover-
age and at the same time developing a program that will drive improvement and
best practices into the future. She also received the ISE award of the decade for
Higher Education/Non Profit Sector for her overall commitment to IT security.
She was chosen in 2011 as one of Business Insurance’s Women to Watch, an annual
feature spotlighting 25 women who are doing outstanding work in commercial
insurance, reinsurance, risk management, employee benefits, and related fields,
such as law and consulting. She was also selected by Business Insurance magazine
for its 2011 Risk Management Honor Roll. Also in 2011, Treasury & Risk magazine
named her one of the “100 Most Influential People in Finance.” She has consulted
with numerous public and private entities on the implementation of ERM, includ-
ing Harvard University and SingHealth, Singapore’s largest health care group.
www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 6
Strategic Risk Management at
the LEGO Group
Integrating Strategy and Risk Management
MARK L. FRIGO
Director, Strategic Risk Management Lab, and Ledger & Quill Distinguished
Professor of Strategy and Leadership, DePaul University
HANS LÆSSØE
Senior Director of Strategic Risk Management, LEGO Group
How can organizations manage strategic risks in a volatile and fast-pacedbusiness environment? Many have started focusing their enterprise riskmanagement (ERM) programs on the critical strategic risks that can make
or break a company. This effort is being driven by requests from boards and other
stakeholders and by the realization that a systematic approach is needed and that
it’s highly valuable to include strategic risk management in ERM and to integrate
risk management within the fabric of an organization.
In this case1 we describe strategic risk management at the LEGO Group, which
is based on an initiative started in late 2006 and led by Hans Læssøe, senior direc-
tor of strategic risk management at LEGO System A/S. It’s also part of the con-
tinuing work of the Strategic Risk Management Lab at DePaul University, which
is identifying and developing leading practices in integrating risk management
with strategy development and strategy execution. This descriptive case provides
a great example of integrating risk management into the strategy development and
strategy execution.
ABOUT THE LEGO GROUP
Headquartered in Billund, Denmark, the family owned LEGO Group has 12,500
employees worldwide and is the second-largest toy manufacturer in the world in
terms of sales. Its portfolio, which focuses on LEGO bricks, includes 25 product
lines sold in more than 130 countries. The name of the company is an abbreviation
of the two Danish words leg godt that mean “play well.” The LEGO Group began in
1932 in Denmark, when Ole Kirk Kristiansen founded a small factory for making
93
www.it-ebooks.info

http://www.it-ebooks.info/

94 Implementing Enterprise Risk Management
wooden toys. Fifteen years later, he discovered that plastic was the ideal material
for toy production and bought the first injection molding machine in Denmark.
In 1949, the brick adventure started. Over the years, the LEGO Group per-
fected the brick, which is still the basis of the entire game and building system.
Though there have been small adjustments in shape, color, and design from time
to time, today’s LEGO bricks still fit bricks from 1958. The 2,400 different LEGO
brick shapes are produced in plants in Denmark, the Czech Republic, Hungary,
and Mexico with the greatest of precision and subjected to constant controls. There
are more than 900 million different ways of combining six eight-stud bricks of the
same color.
THE LEGO GROUP STRATEGY
To understand strategic risk management at the LEGO Group, you need to under-
stand the company’s strategy. This is consistent with the first step in developing
strategic risk management in an organization: to understand the business strategy
and the related risks as described in the strategic risk assessment process.2
The LEGO Group’s mission is “Inspire and develop the builders of tomorrow.”
Its vision is “Inventing the future of play.” To help accomplish them, the company
uses a growth strategy and an innovation strategy.
� Growth strategy. The LEGO Group has chosen a strategy that’s based on a
number of growth drivers. One is to increase its market share in the United
States. Many Americans may think they buy a lot of LEGO products, but
they buy only about a third of what Germans buy, for example. Thus there
are potential growth opportunities in the U.S. market.
The LEGO Group also wants to increase market share in Eastern Europe,
where the toy market is growing very rapidly. In addition, it wants to
invest in emerging markets, but cautiously. The toy industry isn’t the first
one to move into new, emerging markets, so the LEGO Group will invest
at appropriate levels and be ready for when those markets do move. It
will also expand direct-to-consumer activities (sales through LEGO-owned
retail stores), online sales, and online activities (such as online games for
children).
� Innovation strategy. On the product side, the LEGO Group focuses on creat-
ing innovative new products from concepts developed under the title “Obvi-
ously LEGO, never seen before.” The company plans to come up with such
concepts every two to three years. One of the latest examples is LEGO Games
System, which consists of family board games (a new way of playing with
LEGO bricks) with a LEGO attitude of changeability (obviously LEGO). The
company also intends to expand LEGO Education, its division that works
with schools and kindergartens. And it will develop its digital business as
the difference between the physical world and the digital world becomes
more and more blurred and less and less relevant for children.
Now let’s look at the development of LEGO strategic risk management.
www.it-ebooks.info

http://www.it-ebooks.info/

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 95
4
Preparing for
Uncertainty
3
1
Enterprise Risk
Management
2
Monte Carlo
Simulations
Active Risk &
Opportunity
Planning (AROP)
Exhibit 6.1 Four Elements of Risk Management at the LEGO Group
LEGO STRATEGIC RISK MANAGEMENT
The LEGO Group developed risk management in four steps (numbered in the
order in which the steps were initiated) as shown in Exhibit 6.1:
� Step 1. Enterprise risk management was traditional ERM in which financial,
operational, hazard, and other risks were later supplemented by explicit
handling of strategic risks.
� Step 2. Monte Carlo simulations were added in 2008 to understand the finan-
cial performance volatility (which proved to be significant) and the drivers
behind it to integrate risk management into the budgeting and reporting
processes. During the past two years the use of Monte Carlo simulations
was refined, as described later in this chapter.
Those two steps were seen mostly as damage control. To get ahead of the deci-
sion process and have risk awareness impact future decisions as well, LEGO risk
management added:
� Step 3. Active risk and opportunity planning (AROP), where business projects
go through a systematic risk and opportunity process as part of preparing
the business case before final decisions about the projects are made.
� Step 4. Preparing for uncertainty, where management tries to ensure that long-
term strategies are relevant for and resilient to future changes that may very
well differ from those planned for. Scenarios help them envision a set of
different yet plausible futures to test the strategy for resilience and relevance.
These last two steps were designed to move upstream—or get involved earlier
in strategy development and the strategic planning and implementation process.
Strategic Risk Management Lab Commentary
This four-step approach is a good illustration of how organizations can develop
their risk management capabilities and processes in incremental steps. It represents
an example of how to evolve beyond traditional ERM and integrate risk manage-
ment into the strategic decision making of an organization. This approach positions
risk management as a value-creating element of the strategic decision-making pro-
cess and the strategy-execution process.
In our research on high-performing companies, we’ve found that the LEGO
Group, like those companies, achieves sustainable high performance and creates
www.it-ebooks.info

http://www.it-ebooks.info/

96 Implementing Enterprise Risk Management
stakeholder value by consistently executing the strategic activities in the Return-
Driven Strategy framework (for example, the focus on innovating its offerings
toward changing customer needs) while co-creating value through its engagement
platforms—that is, the online community, including its My LEGO Network, which
engages more than 400 million people and helps its product development process;
see Venkat Ramaswamy and Francis Gouillart, The Power of Co-Creation (Free Press
2010). Its strategic risk management processes incorporate distinct elements of co-
creation by engaging its employees (internal stakeholders) throughout the strate-
gic decision-making, planning, and execution processes, as well as engaging exter-
nal stakeholders (suppliers, partners, customers). The LEGO Group’s approach is
a good example of how an organization can engage stakeholders in co-creating
strategic risk/return management (see Mark L. Frigo and Venkat Ramaswamy,
“Co-Creating Strategic Risk-Return Management,” Strategic Finance, May 2009).3
ENTERPRISE RISK MANAGEMENT (STEP 1)
The evolution of ERM toward strategic risk management is represented in
Exhibit 6.2. Strategic risk was missing from the ERM portfolio until 2006.
To fix this, based on his then 25 years of LEGO experience and a request from
the CFO, Hans Læssøe started looking at strategic risk management. “I was a cor-
porate strategic controller who had never heard the term until then,” he says. The
company had embedded risk management in its processes. Operational risk—minor
disruptions—was handled by planning and production. Employee health and safety
was OHSAS 18001 certified. Hazards were managed through explicit insurance pro-
grams in close collaboration with the company’s partners (insurance companies
and brokers). Information technology (IT) security risk was a defined functional area.
Financial risk covered currencies and energy hedging as well as credit risks. And
legal was actively pursuing trademark violations as well as document and contract
management. But strategic risks weren’t handled explicitly or systematically, so the
CFO charged Hans with ensuring they would be from then on. This became a full-
time position in 2007, and Hans added one employee in 2009 and another in 2011.
Employee
Safety
Operational
Hazard
IT
Security
Legal
Financial
Strategic
(added
2006)
ERM
Exhibit 6.2 The LEGO ERM Umbrella: Adding Strategic Risk
www.it-ebooks.info

http://www.it-ebooks.info/

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 97
Strategic Risk Management Lab Commentary
The 2006 situation is common. Even though strategic risks need to be integrated
with risk management, many organizations don’t explicitly assess and manage
strategic risks within strategic decision-making processes and strategy execution.
A recent study by the Corporate Executive Board found that strategic risks have
the greatest negative impact on enterprise value: “strategic risk caused 68 per-
cent of severe market capitalization declines.”4 But the LEGO Group’s approach
shows how strategic risk management can be a key to increasing the value of
ERM within an organization. It also shows how executive leadership from the
CFO played an important role in the evolution of ERM as a valuable management
process. Finally, Hans came from the business side and had the attributes neces-
sary to lead the initiative: broad knowledge of the business and its core strategies,
strong relationships with directors and executive management, strong commu-
nication and facilitation skills, knowledge of the organization’s risks, and broad
acceptance and credibility across the organization. (For more, see Mark L. Frigo
and Richard J. Anderson, Embracing ERM: Practical Approaches for Getting Started,
at www.coso.org/guidance.htm, p. 4.)
Also, the risk owner concept at LEGO provides a good example of the impor-
tance of understanding who owns the risks as well as defining the role of risk man-
agement in the organization. The idea of “risk owners” was important to ensure
action and accountability. Hans’s charge was to develop strategic risk management
and make sure the LEGO Group had processes and capabilities in place to do this.
But as senior director of strategic risk management, Hans doesn’t own the risk. He
can’t own the risk, because this essentially would mean he would own the strategy,
and each line of business owns the pertinent strategic risks. Hans trains, leads, and
drives line management to apply a systematic process to deal with risk. The mis-
sion of Hans’s strategic risk management team is to “drive conscious choices.” This
is just like budgeting functions: They don’t earn the money or spend the money,
but they support management to deliver on the budget or compare performance
against the budget.
MONTE CARLO SIMULATION (STEP 2)
In 2008, Hans introduced Monte Carlo simulation into the process. A mathemati-
cian by education (MSc in engineering), he started defining how Monte Carlo
simulation could be used in risk management. Now it’s being used for three
areas:
1. Budget simulation. The business controllers were asked for their input about
volatility, which is combined with analyses based on past performance of
budget accuracy. Managers said this helped them understand the financial
volatility, so it was part of the financial and budget reporting in 2012. In fact,
the first analyses directed top management’s attention to a sales volatility
that was known but that proved to be much more significant than every-
one intuitively believed. During the past two years, this approach has been
refined as described by Hans: “We actually stopped this. It was found that
www.it-ebooks.info

www.coso.org/guidance.htm

http://www.coso.org/guidance.htm

http://www.it-ebooks.info/

98 Implementing Enterprise Risk Management
the volatility of the business is so significant that we have stopped budget-
ing altogether, as the process took a lot of effort—too little value as con-
ditions changed. Today (2014) we use an estimate process where a small
team of lead controllers defines a preliminary estimate for board of direc-
tors discussions. In March (each year) we do a detailed estimate on which
we base KPIs, targets, bonus criteria, et cetera. Monthly, we then update the
estimate, and hence our financial planning process is more dynamic . . . and
we do not need the budget simulation anymore.”
2. Credit risk portfolio. The LEGO Group uses a similar approach to look at its
credit risk portfolio so it can have a more professional conversation with a
credit risk insurance partner.
3. Consolidation of risk exposure. You could multiply the probability and impact
of each risk and add the whole thing up. Risk management isn’t about aver-
ages (if it were, no one would take out an insurance policy on anything).
With a Monte Carlo simulation, the LEGO Group can calculate the 3 percent
worst-case loss compared to budget and use that to define risk appetite and
risk report exposure vis-à-vis this risk appetite, as shown in Exhibit 6.3.
Risk Tolerance
As a privately held company, the LEGO Group can’t look at stock values, so it
looks at the amount of earnings the company is likely to lose compared to budget
if the worst-case combined scenarios happen. Not all risks will materialize in any
one year, because some of them are mutually exclusive; but a huge number may
happen in any one year, as we have seen during the global financial crisis. Hans
Company Risk Exposure (Gross and Net)
Net
EaR
Gross
EaR
Effect of
mitigation
3% of simulations
Exhibit 6.3 Monte Carlo Simulations and Risk Appetite at the LEGO Group
www.it-ebooks.info

http://www.it-ebooks.info/

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 99
computes a net earnings at risk (EaR), and corporate management and later the
board of directors use that net earnings at risk to define their risk tolerance. They
have said that the 3 percent worst-case loss may not exceed a certain percentage of
the planned earnings (the percentage is not 100). That guides management toward
understanding and sizing the risk exposure. This process has helped the LEGO
Group take more risks and be more aggressive than it otherwise would have dared
to be, and to grow faster than it otherwise could have done.
Strategic Risk Management Lab Commentary
Risk tolerance is a difficult area for organizations to address. The approach used
at the LEGO Group provides a good example of deriving risk tolerance (the term
LEGO uses rather than risk appetite) in an actionable and systematic way. It also
shows an approach that fosters intelligent risk taking and that avoids being too risk
averse while maintaining discipline on the amount of risk undertaken. Hans has
actually had cases where he recommended taking on more risks to meet elusive
targets. He uses an analogy to communicate the idea of taking risks and not being
too risk averse: “I used the (very normal) traffic picture . . . ‘Guys, you are getting
late for the party, yet you are still cruising at 40 mph on the highway. Why not
speed up to the 70 mph you are allowed to drive—if that will more likely take you
to the party in time?’”
What we’ve discussed so far is more or less damage control because it’s
about managing risks already taken by approving strategies and initiating busi-
ness projects. Hans decided he wanted to move beyond damage control and be
more proactive so he could create real value as a risk manager. He came up with a
process he calls active risk and opportunity planning (AROP) for business projects.
AROP: ACTIVE RISK ASSESSMENT OF BUSINESS
PROJECTS (STEP 3)
When the LEGO organization implements business projects of a defined minimum
size or level of complexity, it’s mandatory that the business case includes an explicit
definition and method of handling both risks and opportunities. Hans says that
the LEGO Group has created a supporting tool (a spreadsheet) with which to do
this, and it differs from the former approach to project risk management in several
areas. Hans has the following to say on each:
� Identification, “where we call upon more stakeholders, look at opportunities
as well as risks, and look at risks both to the project and from the project (i.e.,
potential project impact on the entire business system).”
� Assessment, “where we define explicit scales and agree what ‘high’ means to
avoid different people agreeing on an impact being high without having a
shared understanding of the exposure.”
� Handling, “where we systematically assign risk owners to ensure action and
accountability and include the use of early warning indicators, where these
are relevant.”
www.it-ebooks.info

http://www.it-ebooks.info/

100 Implementing Enterprise Risk Management
� Reassessment, “where we explicitly define the net risk exposure to ensure
that we have an exposure we know we can accept, the reason being that we
have seen people ignore this step, and hence do too much or too little to a
particular risk; here, we ask them to deliberately address whether or not they
can and will accept the residual risk—and know what it is they accept. From
time to time we see the individual risks being accepted, but then, when we
do the Monte Carlo simulation on the project (yes, we use it here as well), we
see that the likelihood of meeting the target is still too low—and more risk
mitigation or opportunity pursuit is called for and included in the project.”
� Follow-up, “where we keep the risk portfolio of the project updated for gate
and milestone sessions.”
� Reporting, “which is done automatically and fully standardized based on the
data.”
Common Language and Common Framework
The most important point is that the people who address and work with risks get a
systematic approach so they can use the same approach from Project A for Project
B. The one element that project managers really like is having the data in a database.
They don’t receive just a spreadsheet model. Data are entered into the spreadsheet
as a database, and all the required reporting on risk management is collected from
that data, so project managers don’t have to develop a report—they can just cut and
paste from one of the three reporting sheets that are embedded in the tool. All the
reports are standardized. That’s good for the project managers, but it’s also good
for the people on the steering committees because they now receive a standardized
report on risks. They don’t have a change between layouts of probability/impact
risk maps or somebody comes up with severity or whatever from project to project.
Everyone has the same kind of formula, the same way of doing it.
Strategic Risk Management Lab Commentary
The AROP process is a great example of integrating risk assessment in terms of
upside and downside risks in the strategic decision-making process. This balanced
approach to strategic risk management allows organizations to create more stake-
holder value while intelligently managing risk.
PREPARING FOR UNCERTAINTY: DEFINING AND
TESTING STRATEGIES (STEP 4)
To get further ahead in the decision process, the LEGO Group has added a system-
atic approach to defining and testing strategies. As Hans notes, “We are going one
step further upstream in the decision process with what we call ‘Prepare for Uncer-
tainty.’ This is a strategy process, and we’re looking at the trends of the world. The
industry is moving; the world is moving quite rapidly. I just saw a presentation
that indicated that the changes the world will see between 2010 and 2020 will be
somewhere between 10 and 80 times the changes the world saw in the twentieth
century, compressed into a decade.”
www.it-ebooks.info

http://www.it-ebooks.info/

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 101
He offers the following story to illustrate the forces of change the company
is facing: “My seven-year-old granddaughter came to me and asked, ‘Granddad,
why do you have a wire on your phone?’ She didn’t understand that. She’d never
seen a wire on a phone before. We need to address that level of change and do it
proactively.”
Four Strategic Scenarios
A group of insightful staff people (Hans and a few from the Consumer Insight
function) defined a set of four strategic scenarios based on the well-documented
megatrends defined by the World Economic Forum in 2008 for the Davos meetings.
Hans commented:
“We presented and discussed these with senior management in 2009, prior to
their definition of 2015 strategies, to support that they would look at the poten-
tial world of 2015 when defining strategies and not just extrapolate present-day
conditions.
“Having done that, we then prepared to revisit each key strategy vis-à-vis all
four scenarios to identify issues (i.e., risks and opportunities) for that particular
strategy if the world looks like this particular scenario.
“This list of issues is then addressed via a PAPA model whereby a strategic
response is defined and embedded in the strategy.
“This way, we believe that we have reasonably ensured our strategies will be
relevant if/when the world changes in other ways than we originally planned for.”
During the past two years, LEGO refined the process and used it actively, the
reason being that the original scenarios did in fact not lead to much explicit action.
Today a scenario session is a five-hour workshop where participants focus on one
particular strategy (e.g., market entry in China). The workshop is with the man-
agement team that owns the strategy and its implementation.
� The first hour they discuss and agree on two key drivers of uncertainty to
their strategy (the axes of the 2 × 2 scenarios). Hans’s team comes with a
battery of potential drivers—and they (after some discussion) end up with
two—leading to four quadrants of a 2 × 2 matrix.
� The next two hours the team describes the four quadrants one at a time. First,
they individually use Post-it notes to write down descriptive elements or key
success factors for the scenario (the Post-it session is to avoid groupthink).
Then they share their descriptions and discuss their way into a reasonably
consistent image of that scenario, before they move on to the next.
� The fourth hour is used to define strategic issues—again Post-it notes and
sharing. Here they are diligently coached to be aware that any issue may be
an opportunity (if they choose to pursue this in time). If they do not pursue
this, it may become a risk, and if they still don’t do anything and the risk
materializes, it becomes a problem. The sharing process includes a prioriti-
zation discussion in LEGO’s PAPA model (see later in this chapter).
� The last hour focuses first and foremost on actions to be taken. The team
discusses and agrees on explicitly “who is doing what by when” to ensure
action on the issues that the team members have themselves decided are
important, likely, and fast moving.
www.it-ebooks.info

http://www.it-ebooks.info/

102 Implementing Enterprise Risk Management
The role of Hans’s team is to coach the process, including asking provocative
questions and ensuring that team members get out of their comfort zone (where
the real world is). The process is mandatory for business planning and strategy
definition, and in 2013 Hans’s team was involved with doing 25 of these workshop
sessions as the company business plans were to be updated. Subsequently it was
documented that 75 percent of these business plans had taken on explicit actions
on issues they had not seen prior to the session—hence the value.
Hans explains, “Once we have decided on the strategy and defined what we’re
going to do, we test the strategy for resilience. We very simply take that particular
strategy and, together with the strategy owner, discuss: If this scenario happens,
what will happen to the strategy? Some of these issues will be highly probable,
and some of them will be less probable. Some of them will happen very fast; some
others will happen very slowly. This is where the PAPA model comes in.”
THE PAPA MODEL
When looking at the issues inspired by the scenarios, the LEGO Group uses what
it calls a Park, Adapt, Prepare, Act (PAPA) model, as shown in Exhibit 6.4. Hans
explains:
� Park: “The slow things that have a low probability of happening, we park. We
do not forget about them.”
� Adapt: “The slow things that we know will happen or are highly likely to
happen, we adapt to those trends. In our case, this is a lot around demo-
graphics. We know children’s play is changing, we know demographics are
changing, and we know the buying power between the different realms
or the different parts of the world is changing. Although we know chil-
dren’s play is changing, we also know it does not happen fast. So we adjust,
systematically monitoring what direction it’s moving in and following that
trend.”
� Prepare: “The things that have a low probability of happening, but, if they do,
they materialize fast, we need to be prepared for this. In fact, this is where
Overall Strategic Response
Prepare
Park
Low
Likelihood
S
lo
w
F
as
t
S
pe
ed
o
f C
ha
ng
e
Adapt
High
Act
Exhibit 6.4 LEGO’s PAPA Model
www.it-ebooks.info

http://www.it-ebooks.info/

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 103
we identify most of the risks that we need to put into our ERM risk database,
make sure that we have contingency plans for them, and apply early warn-
ings and whatever mitigation we can put in place to make sure that we can
cover these should they materialize, but they are not expected to.”
� Act: “Finally, we have the high-probability and fast-moving things that we need
to act on now in order to make sure the strategy will be relevant. In our
case, anything that has to do with the concept of connectivity (i.e., mobile
phones, Internet, that world)—if we can see it, we move on it. We know that
it is changing so fast, and it’s changing the way kids play. It’s changing their
concepts and their view of the world.”
Hans concludes, “This way, we have a kind of model of what we do, because
we shouldn’t, of course, be betting on every horse in the race. That’s not profitable,
and it isn’t even doable.”
Strategic Risk Management Lab Commentary
One of the challenges of risk management is to find ways to prioritize risks that
make business sense. The PAPA model provides a good example of a framework
that can prioritize risks and set the stage for the appropriate actions. Our research
on high-performance companies (see Mark L. Frigo, “Return Driven: Lessons from
High Performance Companies,” and the book Driven: Business Strategy, Human
Actions, and the Creation of Wealth by Mark L. Frigo and Joel Litman) found that
companies that demonstrate sustainable high performance exhibit a “vigilance to
forces of change” that allows them to manage the threats and opportunities in the
uncertainties and changes better than other companies do.5 The approach used at
LEGO is a great example of embedding this vigilance to forces of change in its strat-
egy development and strategy execution processes. The scenario analysis approach
used at LEGO provides an engagement platform for engaging stakeholders in the
risk management process.6
STATEGIC RISK MANAGEMENT RETURN
ON INVESTMENT
A great deal has happened in the LEGO Group’s approach to risk management
based on strong support from top management (always needed to develop pro-
cesses and methodologies) and a strong focus. They have demonstrated value from
the efforts they’ve made. They also have explicitly embedded risk management in
most of the key planning processes used to run the company:
� The Strategic Scenarios used in business planning
� The LEGO Development Process—includes Monte Carlo simulation of over-
all project risk/opportunity exposure
� The Customer Business Planning Process—AROP in collaboration
� The Sales and Operations Planning Process—tactical scenarios
� The Performance Management Process—bonuses based on results, not
efforts
www.it-ebooks.info

http://www.it-ebooks.info/

104 Implementing Enterprise Risk Management
“All of this has worked,” Hans says. “Based on actual data, we have had a
20 percent average growth from the period between 2006 and 2010 in a market
that barely grows 2 percent and 3 percent a year. It has continued so 2006 to 2012
has a cumulative annual growth rate of 20 percent, leading to a tripling of the size
of the company based on official public data. Beyond that, our profitability has
developed quite significantly as well. We’ve grown from a 17 percent return on
sales in 2006 to 34 percent return on sales in 2012. And it goes beyond that. If you
go back a couple more years, in 2004 we were in dire straits and had a negative
return on sales of 15 percent. We changed a number of strategies.
“Risk management is not the driver of these changes,” Hans continues. “I’m
not even sure it’s a big part. But it’s one part. It’s a part that has allowed us to take
bigger risks and make bigger investments than we otherwise would have seen.
The Monte Carlo simulation has shown us what the uncertainty is and was a key
element of changing the financial planning process to a more dynamic estimation
approach. The risk tolerance has shown us how much risk we are prepared to
take, between the board of directors and the corporate management team. This
has meant that we have been prepared to make bigger supply chain investments
than we otherwise would have done and have been able to achieve bigger growth
than we ever imagined we could have.”
Strategic Risk Management Lab Commentary
The development of strategic risk management at the LEGO Group provides a
great example of how organizations can develop their ERM programs to incorpo-
rate strategic risk and make strategic risk management a discipline and core com-
petency within. One of the key elements was integration. During discussions with
LEGO management, when Hans was asked about the ongoing development of risk
management at the LEGO Group, he replied that it was “naturally integrated.” It
is this integration of risk management in strategy and strategy execution, and the
integration of strategy in risk management, that can elevate the value of ERM in
an organization.
CONCLUSION
We want to emphasize that risk management is not about risk aversion. If, or
rather when, you want or need to take bigger chances than your competitors—
and get away with it (succeed)—you need to be better prepared. The fastest race
cars in the world have the best brakes and the best steering to enable them to be
driven faster, not slower. Risk management should enable organizations to take the
risks necessary to grow and create value. To quote racing legend Mario Andretti:
“If everything’s under control, you’re going too slow.” The approach and philoso-
phy described in this case are reflected in the mission of the strategic risk manage-
ment team at the LEGO Group to “drive conscious choices.”
QUESTIONS
1. What are the advantages of integrating ERM with strategy and strategy execution as
described in this case?
www.it-ebooks.info

http://www.it-ebooks.info/

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 105
2. How does scenario analysis as described in this case help an organization to prepare for
uncertainties?
3. What are the advantages of using the PAPA model to categorize risks?
4. How would you describe the “Strategic Risk Management Return on Investment” at
LEGO?
5. The mission of the strategic risk management team is to “Drive conscious choice.” How
does the Active Risk and Opportunity Planning (AROP) element of strategic risk man-
agement at LEGO help to drive conscious choice?
NOTES
1. This chapter was adapted from Mark L. Frigo and Hans Læssøe, “Strategic Risk Man-
agement at the LEGO Group,” Strategic Finance (February 2012) with the permission of
Strategic Finance and the Institute of Management Accountants. An earlier version of this
case was presented at the Risk and Insurance Management Society (RIMS) Conference,
where Mark and Hans serve as members of the RIMS Strategic Risk Management Devel-
opment Council.
2. M. L. Frigo and R. J. Anderson, “Strategic Risk Assessment: A First Step for Improving
Governance and Risk Management,” Strategic Finance 12 (2009), 25–35.
3. Also see Hans Læssøe, Venkat Ramaswamy, and Mark L. Frigo, “Strategic Risk Manage-
ment in the Co-Creative Enterprise,” Working Paper, Strategic Risk Management Lab,
DePaul University, 2014.
4. See “Using ERM to Improve Strategic Decisions,” CEB Risk Management Leadership
Council, Corporate Executive Board, 2013.
5. Also see Mark L. Frigo, Driven Strategy: Creating and Sustaining Superior Performance (Palo
Alto, CA: Stanford University Press, forthcoming 2015).
6. A. Mikes and D. Hamel, “The LEGO Group: Envisioning Risks in Asia,” Harvard Busi-
ness School Case 113-054, November 2012.
REFERENCES
Frigo, M. L. 2008. “Return Driven: Lessons from High Performance Companies.” Strategic
Finance 7, 24–30.
Frigo, Mark L. 2015. Driven Strategy: Creating and Sustaining Superior Performance. Palo Alto,
CA: Stanford University Press, forthcoming.
Frigo, M. L., and R. J. Anderson. 2009. “Strategic Risk Assessment: A First Step for Improving
Governance and Risk Management.” Strategic Finance 12, 25–35.
Frigo, M. L., and R. J. Anderson. 2011. “Embracing ERM: Practical Approaches for Getting
Started.” Committee of Sponsoring Organizations of the Treadway Commission (COSO).
www.coso.org/guidance.htm.
Frigo, Mark L., and Mark Beasley. 2010. “ERM and Its Role in Strategic Planning and Strat-
egy Execution.” In John Fraser and Betty J. Simkins, eds. Enterprise Risk Management.
Hoboken, NJ: John Wiley & Sons.
Frigo, Mark L., and Hans Læssøe. 2012. “Strategic Risk Management at the LEGO Group.”
Strategic Finance 2, 27–35.
Frigo, Mark L., and Joel Litman. 2007. Driven: Business Strategy, Human Actions, and the Cre-
ation of Wealth. Chicago: Strategy & Execution, LLC.
Frigo, M. L., and V. Ramaswamy. 2009. “Co-Creating Strategic Risk-Return Management.”
Strategic Finance 5, 25–33.
www.it-ebooks.info

www.coso.org/guidance.htm

http://www.it-ebooks.info/

106 Implementing Enterprise Risk Management
Læssøe, Hans, Venkat Ramaswamy, and Mark L. Frigo. 2014. “Strategic Risk Management
in the Co-Creative Enterprise.” Working Paper, Strategic Risk Management Lab, DePaul
University.
Mikes, A., and D. Hamel. 2012. “The LEGO Group: Envisioning Risks in Asia.” Harvard
Business School Case 113-054, November.
Ramaswamy, V., and F. Gouillart. 2010. The Power of Co-Creation. New York: Free Press.
Ramaswamy, V., and K. Ozcan. 2014. The Co-Creation Paradigm. Palo Alto, CA: Stanford
University Press, forthcoming.
ABOUT THE CONTRIBUTORS
Mark L. Frigo, PhD, CMA, CPA, is director of the Center for Strategy, Execu-
tion and Valuation and the Strategic Risk Management Lab in the Kellstadt Grad-
uate School of Business at DePaul University in Chicago. He is Ledger & Quill
Alumni Foundation Distinguished Professor of Strategy and Leadership in the
Driehaus College of Business at DePaul. The author of seven books and more
than 100 articles, his work is published in leading journals, including the Harvard
Business Review. Dr. Frigo is coauthor (with Joel Litman) of the book Driven: Busi-
ness Strategy, Human Actions, and the Creation of Wealth, coauthor (with Richard J.
Anderson) of the book Strategic Risk Management: A Primer for Directors and Man-
agement Teams, and author of a forthcoming book, Driven Strategy, from Stanford
University Press. His research and thought leadership on strategic risk manage-
ment and ERM have been published by Harvard Business Press, the Conference
Board, Committee of Sponsoring Organizations of the Treadway Commission
(COSO), American Accounting Association, Financial Executives International,
American Institute of Certified Public Accountants, Institute of Interal Auditors,
Institute of Chartered Accountants in England and Wales, Chartered Institute of
Management Accountants, Institute of Management Accountants, Risk and Insur-
ance Management Society, and other leading organizations, and he has presented
keynote presentations and executive workshops on strategic risk management
throughout North America, Europe, and the Asia-Pacific region. He is a member of
the RIMS Strategic Risk Management Development Council. Dr. Frigo is an adviser
to executive teams and boards of directors in the area of strategic risk management.
Hans Læssøe, MSc, is the LEGO Group head of and senior director on strategic
risk management, a function he established in 2006 and 2007. He has more than
30 years of LEGO Group experience from a number of areas, which provides him
with strong business insight and a network to drive the task of proactive strate-
gic risk management. He is a founding member of a Danish ERM network, an
executive member of the European Council of Risk Management, and a specialist
member of the Institute of Risk Management (IRM). He is a member of the RIMS
Strategic Risk Management Development Council. The LEGO Group and Læssøe
have won multiple European awards for their unique risk management approach.
Læssøe is the author or coauthor of articles in international magazines, and speaks
at international risk management conferences.
www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 7
Turning the Organizational
Pyramid Upside Down
Ten Years of Evolution in Enterprise Risk
Management at United Grain Growers
JOHN BUGALLA
Managing Principal, ermINSIGHTS
Strategy without tactics is the path to uncertain success; tactics without strategy is
the noise before defeat.
—Sun Tzu (c. 544–496 B.C.)
Few companies stand out as successful pioneers in enterprise risk manage-ment (ERM), especially one that undertook the initiative almost 15 yearsago. One such ERM pioneer was United Grain Growers (UGG), a conserva-
tive 100-year-old Winnipeg, Canada–based grain handler and distributor of farm
supplies. When UGG announced that it had implemented a new integrated risk-
financing program in 1999, it received a great deal of attention in the financial press.
CFO magazine hailed the UGG program as “the deal of the decade.”1 The Economist
characterized it as a “revolutionary advance in corporate finance.”2 Harvard cre-
ated a UGG case study.3 While most outside attention focused on the direct finan-
cial benefits of implementing the program (protection of cash flow, the reduced
risk capital required, and a 20 percent increase in stock price)4, scant attention was
given to the less tangible and therefore less measurable issues of governance, lead-
ership, and corporate culture—the conditions that enabled such innovation. It was
a combination of a collaborative leadership open to new ideas, a culture of con-
trolled risk taking, and active risk oversight by the board that produced a strategic
approach to UGG’s risk management process. A combination of the same cultural
factors had already contributed to the 1993 transformation of UGG from a coop-
erative structure to a publicly traded company with access to the capital markets.
UGG’s chief executive officer (CEO) had two key strategic objectives: (1) from day
one of his tenure, a razor-sharp focus on improving the financial performance of
the company to better serve customers and shareholders, and (2) as financial per-
formance improved, to change the risk profile of the company to attract long-term
shareholders versus short-term stock speculators.
107
www.it-ebooks.info

http://www.it-ebooks.info/

108 Implementing Enterprise Risk Management
Implementing the integrated risk program that reduced earnings volatility
helped to change the risk profile of the company. However, the strategic goals
of UGG went deeper than an integrated risk program. Over the next several
years, financial performance continued to improve. New value was created by
implementing a unique credit financing business (UGG Financial), in partner-
ship with the Bank of Nova Scotia (ScotiaBank). This was followed by merging/
acquiring the business of rival Agricore Cooperative in 2001, creating Agricore
United (AU). The final act of value creation was extracting a high premium for
AU’s stock in 2007 from several bidders that wanted to acquire the company.
BACKGROUND—OPERATING ENVIRONMENT
The grain business is capital intensive and inherently risky in terms of supply,
commodity prices, currency exchange rates, Canadian government regulation of
the industry, and, from time to time, the current political climate existing with key
customers. Weather is obviously a major risk, and it determines local and over-
all supply. Grain production in the Canadian prairies covers tens of thousands
of square miles of Manitoba, Saskatchewan, and Alberta, and stretches into the
Peace River district of British Columbia. The success or failure for the entire crop
year, for the farmer-growers, grain handlers like UGG, and road and rail trans-
porters, is determined by the amount of rainfall in April and May. Not enough
rain in those key months translates into a drought-reduced harvest. Added com-
plexity was demonstrated by an analysis of a century of rainfall data that revealed
that weather events thought to occur every 100 years actually occur every nine to
11 years. However, UGG was a grain handler, not a crop grower. The threat to UGG
was related to the volume of grain that it would process, much of it at a fixed price
established by the Canadian Wheat Board (CWB).5 UGG had an established aver-
age market share of 15 percent. UGG (and its competitors) would be allocated rail
cars by the Canadian Wheat Board that were almost entirely determined by its mar-
ket share in the preceding year, no matter how large or small the crop. There was,
therefore, little opportunity to gain (or lose) grain handling market share. Con-
sequently, it was overall grain production volume risk that drove revenues and
profits.6
Grain is a commodity traded on global exchanges. The price of grain, such
as wheat, like any other commodity, is driven by supply and demand. While
local weather conditions impact Canada’s grain-producing provinces, supply and
demand are also impacted by global7 weather conditions. Political risk is another
factor in the supply-and-demand chain, as Canada is a major grain exporter. A
grain embargo placed on a major customer nation is a critical threat. It has been
said that wheat is 15 percent protein and 85 percent politics.
Canadian grain (wheat, barley, oilseeds, and pulse crops)8 is harvested in the
fall. The average Canadian harvest is over 60 million tons. The farmers harvest the
grain and then transport it to the storage elevators operated by UGG and its com-
petitors. The primary grain elevators are located on railroad sidings in farming
communities that enable the railroad to collect the grain in special hopper cars
and transport it to the two main grain terminal ports at Thunder Bay on Lake
Superior for shipments going east, and Vancouver for shipments going west. As
a result of almost 100 years of railroad regulation and transportation subsidies,
www.it-ebooks.info

http://www.it-ebooks.info/

TURNING THE ORGANIZATIONAL PYRAMID UPSIDE DOWN 109
Western Canada was dotted with smaller wooden grain elevators, most of which
could accommodate only short trains. The business was inefficient. By the 1990s
the grain business was in transition. Deregulation of the railroads and the removal
of transportation subsidies provided the railroad companies with the incentive to
eliminate uneconomic branch lines. This, in turn, required that the smaller wooden
elevators that dotted Western Canada would have to be replaced by giant modern
elevators able to accommodate 100 or more grain railcars. The railroads were driv-
ing cost inefficiencies out of the system. This imposed a massive increase in cap-
ital requirements on UGG (and its competitors) as it embarked on an infrastruc-
ture rebuilding program—replacing its multitude of old wooden elevators with
large, high-throughput, concrete ones capable of loading the multiple carloads
demanded by railroad rationalization—reducing grain handling costs per metric
ton, but adding new fixed costs.
Adding to the financial pressure of investing in grain handling infrastruc-
ture replacement, working capital requirements were also increasing rapidly. Dur-
ing the 1990s, the western Canadian grain handling companies responded to the
increasing demand for crop inputs (seed, fertilizer, herbicides, and pesticides) by
aggressively investing in the farm retail business. Farm retail sales showed dra-
matic growth as biotechnology delivered new products and genetics that promised
to increase and protect crop yields. This substantially increased the amount of retail
credit extended to farm customers.
GOVERNANCE
The financial scandals of the mid-1990s, such as Barings Bank and Orange County,
were just as troubling then as the recent decade’s risk management mistakes, mis-
deeds, and failures are to today’s regulators and investors. The financial culprit
then was the emerging issue of financial derivatives rather than the residential
mortgage-backed securities that wreaked havoc on the global financial markets in
2008–2009. The scandals of the 1990s had the effect of sensitizing legislators, reg-
ulators, and investor advocates to start asking organizations questions about how
publicly traded companies manage the inherent risks of their business. From these
concerns were born a number of guidelines and standards in many parts of the
world that, in general, allocated accountability to directors, officers, and organiza-
tional management to effectively manage their risks. One example, corporate gov-
ernance guidelines produced by the Toronto Stock Exchange (TSX), set out five
general responsibilities of directors in Canada. In addition to strategic planning,
succession planning, communication policy, and internal control/management
systems, directors were given responsibility for “the identification of the principal
risks of the corporation’s business and ensuring the implementation of appropriate
systems to manage those risks.”9
For a company historically sensitized to managing substantial business risks,
particularly grain price volatility,10 the TSX guidelines immediately struck a chord.
The board of directors of UGG therefore mandated the chief executive officer to
form a Risk Management Committee, establish a formal risk management policy,
develop corporate-wide risk management processes, and report to the Audit Com-
mittee of the board of directors on a quarterly basis. The board of UGG created a
platform for the adoption of ERM and a strategic approach to risk management.
www.it-ebooks.info

http://www.it-ebooks.info/

110 Implementing Enterprise Risk Management
UGG already had a solid platform on which to build its approach to ERM. Risk
management was a process that was well ingrained at UGG, and had been since
the 1970s. The organization had a risk management policy, applied risk manage-
ment processes via inspections (identification and evaluation) as required under its
corporate insurance programs, and had developed internal loss prevention pro-
grams (environment, safety, and loss control); but, unlike many other organiza-
tions at the time, UGG also applied a risk measurement metric to its risk manage-
ment initiatives by tracking its “cost of risk” (net risk retention costs + risk transfer
costs + risk-related administrative overhead = cost of risk).
Concurrently, UGG’s leadership team was wringing out as much cost from
the system as possible. Between the capital requirements for the new elevators, a
lengthy depressed operating environment, and reduced crop volumes, reducing
cost throughout UGG was a critical objective. Risk management expenses were no
exception.
Leadership
Tracing its roots back to 1906 as a farmer-owned cooperative,11 UGG was a
mature organization entrenched in its own bureaucratic business model. There
were numerous business units operating under the UGG umbrella but all reporting
in a hierarchical command and control structure straight to headquarters. By the
early 1990s, the company had become financially distressed—UGG was in breach
of its bank covenants and losing cash. Under consideration in 1990 was the idea of
exiting or selling certain noncore business units. An internal study of one business
(farm supplies) produced a stark picture of not only that single business, but an
entire organization, including operations, and its unresponsiveness to customer
needs. The report was a candid assessment of the organization that equated the
firm to a geriatric patient 85 years old in need of major care if it expected to survive.
Written by the future CEO, the report projected that without dramatic change the
fluid and dynamic forces taking place in the entire agribusiness sector, coupled
with UGG’s weak balance sheet, would simply overwhelm the cooperative in a
matter of a few years.
The financial imperatives critical to survival were fixing the weak balance
sheet, recapitalization, and addressing bank covenants that had been breached.
Access to cash and the capital markets was of paramount concern. One way to
access the capital markets efficiently was to demutualize and become a publicly
traded company. While it literally took an act of Parliament to demutualize, UGG
went public in 1993.12
The UGG Annual Report in 1994 indicated the transformational shift in think-
ing by the new CEO that would set in motion a series of events that propelled the
company to greatly improved operating and financial performance:
We have also taken definitive steps to organize our business so that the decisions
which most affect customer service are made by the people who deal directly with
customers. In the last year, we turned our organizational pyramid upside down.
We can’t be prompt and effective in the era of market-driven agriculture if all the
decisions that impact on customers are made by senior managers, sitting in Head
Office, at the top of the organizational pyramid. In the country—in our core grain
www.it-ebooks.info

http://www.it-ebooks.info/

TURNING THE ORGANIZATIONAL PYRAMID UPSIDE DOWN 111
and inputs businesses—we’ve tipped the pyramid over. Our management team
now provides support and planning services to the people who deal with cus-
tomers, therefore enhancing services. This change was perhaps the most profound
rethinking of our business approach in many years.13
Improved operational and financial performance would not have been pos-
sible without building an executive team of trusted partners who also embraced
the need for change. Turning the pyramid upside down and allowing UGG staff
interfacing with customers to respond quickly to their needs required a cultural
shift—from the previously hierarchal management structure to one that delegated
decision making and fostered personnel development. A new chief financial offi-
cer, with working experience in publicly traded companies, was appointed to help
develop and implement the financial disciplines and tactics necessary to achieve
the company’s business strategy.
Turning the pyramid over to improve customer service also required a com-
pletely new approach to management information technology (IT) systems.
Like the oil in an engine, lubricating support processes are needed for any busi-
ness to operate smoothly. . . . UGG also eliminated its need for mainframe comput-
ing over the past year. While the Company incurred the double cost of carrying
both our new “client-server” and mainframe for a good part of fiscal 1995, from
fiscal 1996 forward we will realize material benefits from this shift. UGG won inter-
national recognition from the Smithsonian Institution for innovation in applying
computing technology during 1995 for the successful completion of this project.14
Over the decade and a half following the decision to demutualize UGG, the
transformation in management philosophy and the executive team’s implemen-
tation of strategic decisions proved successful in realizing the company’s objec-
tives: The confidence of the board of directors was gained progressively and cumu-
latively and developed into an effective partnership with management; it was
decision-making capital built up over time that created a culture of welcoming
and listening to new and innovative ideas—ideas that could better serve UGG’s
customers and other stakeholders.
Of course, no company has a straight line to success, and UGG was no excep-
tion. The ERM program was one example. Before risks can be managed and oppor-
tunities considered, they have to be identified. It is commonplace today, but, mind-
ful of expenses and time constraints, the mandated (Toronto Stock Exchange, UGG
Board, and CEO) risk identification process and subsequent risk rankings at UGG
were accomplished in a single daylong meeting. The composition of this meeting
exemplified the company’s departure from hierarchy: Participants were selected
not by the seniority of their rank in the organization but rather for their knowledge
and experience of the business; they ranged from frontline representatives to vice
presidents, all given an equal opportunity and showing an equal propensity to con-
tribute to the process. However, the road to ERM would take more than two years,
which, once the company’s major risks were identified, included intense analysis,
evaluation, and quantification of the company’s principal risks. There were head-
winds along the way. The process was temporarily delayed by (1) a major flood in
UGG’s home province and (2) a hostile takeover attempt by a combination of two
www.it-ebooks.info

http://www.it-ebooks.info/

112 Implementing Enterprise Risk Management
competitors (which, after their failure to acquire UGG, merged to form Agricore
Cooperative).
UGG did not embrace ERM as a risk management destination, but as (an
important) part of a process that would support executive management’s risk-
adjusted decision making. It evolved as a logical progression that had begun eight
years earlier with the company’s strategic vision for its future and the development
of a more inclusive management style.15
ERM/Integrated Risk Outcomes
The concept of developing an ERM process was new in the late 1990s. UGG started
by identifying and assessing its principal risks. As indicated earlier, since the 1970s
a substantial amount was already being done to control and measure the cost of
property, casualty, liability, environment, safety, and loss control risks, in addition
to potential (if unhedged) grain price exposure; the additional dimension was to
apply the same systematic procedures to all the company’s major business risks.
The major risks were identified through the ERM exercise. Quantitative risk
analysis confirmed (not unexpectedly) that weather had the greatest impact on
UGG’s earnings, cash flow, and debt stability. Almost 100 years of data was avail-
able on the Canadian prairies’ crop production levels; this revealed that major
droughts, such as occurred during the late 1920s and early 1930s, could reduce
grain production and, consequently, UGG’s grain handling volume in the subse-
quent year by as much as 50 percent. Since this could pose a significant threat to
UGG’s profitability, cash flow, and ability to control its debt level (and, therefore,
investment plans), UGG’s senior finance, risk management, and treasury person-
nel began searching for a means to control this risk at reasonable cost.
Two different approaches to the problem were explored: Aware that finan-
cial derivatives might offer a solution, discussions were initiated with financial
institutions; but none could be identified that were able to hedge the risk. UGG
then began collaborating with its insurance broker, who conceived an insurance
solution—a structure that incorporated the grain volume risk with all UGG’s tradi-
tionally insured risks (property, casualty, freight, liability, etc.) into an “integrated
risk-financing program.” UGG was intrigued by this concept, particularly since a
quantitative analysis suggested that such a program would cost no more than the
discrete insurance policies that UGG was currently buying—without grain volume
insurance. UGG’s executive management worked closely with the broker and mar-
ket to address this never previously insured exposure. Swiss Re, largely because of
its expertise, capacity, and triple A financial rating, provided UGG with a ground-
breaking integrated risk-financing program that applied to the various event risks
that had previously been addressed by monoline traditional insurance policies,
and a parametric risk solution tied to the expected volume of grain passing through
UGG’s grain handling pipeline.
The effect of this on UGG’s potential financial stability was dramatic; while it
“protected” (put a floor under) grain handling earnings that represented approxi-
mately 50 percent of UGG’s total gross profits, it had an even greater proportion-
ate effect on the company’s net profits and cash flow—providing, by stabilizing its
debt structure, greater assurance of its ability to deliver on its strategic plan. The
www.it-ebooks.info

http://www.it-ebooks.info/

TURNING THE ORGANIZATIONAL PYRAMID UPSIDE DOWN 113
Economist pointed out that “for a large chunk of its own equity, it [UGG] substi-
tuted the imposing capital of the world’s largest reinsurer.”16
It is worth noting that while the financial media sometimes referred to UGG’s
risk-financing program as ERM, this was a misnomer; it was in fact an inte-
grated risk-financing program (combining multiple property and casualty risks
with the grain volume coverage). It was UGG’s different approach to thinking
about risk—considering both the upside as well as the downside from an enter-
prise perspective—that was the ERM in the company’s process.
ERM CREDIT FINANCING OUTCOMES
Given the high capital demands of grain handling infrastructure renewal, UGG
was also concerned about its ability to finance the rapid growth in crop
inputs retailing—specifically the burgeoning demand from farmer customers for
extended credit. Within UGG, a division called Crop Production Services man-
aged the retail sales and logistics of these products, which included the extension
of UGG retail credit to farm customers. As the levels of working capital and asso-
ciated risk in the credit program increased, UGG sought to bring it under more
rigorous control by placing credit at arm’s length from the retail operation, and
under the oversight of the corporate treasury.
A cultural shift gradually took place that ensured compliance with improved
practices in credit extension, but growth continued to strain working capital. This
was alleviated to some extent by renegotiating bank lines, and later by undertak-
ing the first off-balance-sheet securitization of Canadian farm receivables, but then
competition was driving retailers to use financing as a tool to promote sales—there
was a competitive advantage in being able to provide credit terms that extended
repayment until after harvest. Ideally, the solution was to retain some control over
the credit product, and to have as much credit capacity as needed, at attractive
terms, without putting a strain on the balance sheet.17
After lengthy exploration, this was finally accomplished by forming UGG
Financial through a strategic alliance between UGG and Scotiabank. Essentially,
UGG provided the customers, administration, and reporting while Scotiabank pro-
vided the capital. UGG shared an equal level of risk with the bank with a hard
cap18 on the maximum limit. UGG received significant fees from Scotiabank based
on the performance of the portfolio. The results were dramatic, effectively freeing
up to $200 million in capital, extending customer credit terms up to 12 full months,
streamlining application processes and providing greater levels of customer ser-
vice, and expanding product lines to livestock producers. It was also instrumental
in enabling acquisitions of independent retailers’ accounts and the merger of UGG
with Agricore Cooperative to form AU in 2001. This arrangement forced competi-
tors to engage in similar outsourcing credit arrangements, and it became the stan-
dard of the industry. When Saskatchewan Wheat Pool eventually acquired AU, the
operation was extending $1.5 billion in credit to 20,000 customers and generating
over $10 million in net profits annually.19
A third leg of UGG/AU’s activities was its Livestock Services division.
Accounting for between 10 percent and 15 percent of the company’s business,
its primary activity was the manufacture and sale of animal feedstuff, the largest
segment being to hog farmers. Traditionally highly leveraged, hog farmers were
www.it-ebooks.info

http://www.it-ebooks.info/

114 Implementing Enterprise Risk Management
vulnerable to cyclical fluctuations in hog prices. Learning from the statistical tech-
niques employed in assessing UGG/AU’s other risks during the ERM process, col-
laboration between corporate and divisional management identified an opportu-
nity to use these methods to acquire a competitive advantage in supporting feed
sales to hog producers.
By analyzing the hog price cycle, it became evident that there was an opportu-
nity for UGG/AU to provide hog price risk management to customers who con-
tracted to purchase their feed from the company. Provided that the customers
met strict performance criteria (such as weight gain, morbidity, etc.), the com-
pany would agree to support shortfalls in realized prices from a preestablished
minimum until prices recovered sufficiently to recover the subventions, thus pro-
tecting the producers’ cash flow. Clearly there was always a risk that the histor-
ical pattern of the hog price cycle could prove an insufficient predictor of the
severity or length of future price downturns; however, using statistical model-
ing techniques, it was possible to stress test the company’s exposure to credit
risk to ensure that the capital at risk did not exceed preestablished levels based
on UGG/AU’s required return targets (on the associated feed sales). In this way,
the company was able to promote its feed sales to high-performing producers
with the quantitative intelligence to provide a high degree of assurance that it
would achieve its return targets without excessive risk, secure in the knowl-
edge that if competitors provided more attractive terms under any similar pro-
gram they risked eroding their financial (and, therefore, long-term competitive)
positions.20
Apart from the obvious risk mitigation provided by the integrated risk-
financing program, it could be argued that the broader ERM project further
increased UGG’s ability to take on more risk; as it gained a more precise quan-
tification of the risks it faced, not only as individual risks but in aggregate, this
improved understanding of its overall risk profile reduced the need for “precau-
tionary capital.”21
While by no means all of the risks that UGG/AU confronted could be quan-
tified (and could only be managed procedurally or avoided altogether), the quan-
tification of its major risks substantially enhanced the company’s ability to model
its anticipated financial performance. While weather could have a dramatic impact
on the volume of grain produced, it could also have a significant influence on the
volume, timing, and variety of seed, fertilizer, herbicide, and pesticide sales by
the Crop Production Services division (e.g., an unusually wet spring that delayed
planting could shift sales from one quarter to another, change farmers’ planting
intentions, and alter their fertilizer, herbicide, and pesticide requirements for the
entire crop year).
Such variability could substantially affect UGG/AU’s quarterly and annual
earnings, even if the impact was not as dramatic as a full-blown drought. UGG
had developed a comprehensive financial model of its expected earnings, debt lev-
els, and cash flow. Prior to developing the intelligence derived from the quantifi-
cation of its major risks during the ERM process, the model had, however, been
one that produced average (or normal weather condition) projections—good for
long-term planning but of limited use in the short term, as it did not anticipate
the consequences of seasonal and year-to-year variability. Given the quantitatively
www.it-ebooks.info

http://www.it-ebooks.info/

TURNING THE ORGANIZATIONAL PYRAMID UPSIDE DOWN 115
enhanced understanding of the potential range of earnings and cash flow derived
from ERM, the company was able to model the complete range of its possible finan-
cial outcomes. While this did not significantly enhance its understanding of its
expected long-term average results, it did provide a powerful analytical tool: It
identified its requirements for contingent capital with more precision; it provided a
much better tool for judging its performance against its plans in a set of potentially
variable conditions—an infinitely flexible budget; and it improved its capacity to
respond appropriately to changing conditions that had, or might have, adverse
financial implications.
ERM was also able to bring a more consistent and disciplined treatment of
risk exposures across the organization. UGG became better positioned to allocate
appropriate resources to ensure that the risks within the different divisions and
activities of the company were not over- or undermanaged relative to the corpora-
tion’s level of risk tolerance.22
AGRICORE UNITED
As the solutions to UGG’s top risks started to pay financial dividends and improve
its balance sheet, the management team began to apply enterprise-wide thinking
to other areas that had been identified and to factor this competitive strength into
its growth strategies. One of these was a merger with Agricore Cooperative, a
rival grain processor whose predecessor companies had, three years previously,
attempted a hostile takeover of UGG.23
UGG’s integrated risk-financing program proved a valuable tool during the
merger negotiations: The potential to expand the program to the enlarged com-
pany was perceived by Agricore Cooperative’s board of directors and members as
a means of providing greater stability and security to the organization.
In practical terms, though, UGG Financial was a more powerfully persua-
sive factor in the merger: Lacking UGG’s access to the capital markets, Agri-
core Cooperative had become substantially overleveraged in the race to build
high-throughput elevators and expand its crop inputs business in line with its
competitors; consequently, the prospect of being able to roll up Agricore Cooper-
ative’s receivables into UGG Financial was a very significant advantage for a com-
bined company—removing, as it did, the need for some $300 million in financing
from the combined company’s balance sheet (compared to the amount previously
financed directly by Agricore Cooperative).24
HARVESTING VALUE
Every publicly traded company is for sale, and the price is visible to everyone in the
form of the stock price. While AU would have preferred to stay independent, the
company received a buyout offer from the Saskatchewan Wheat Pool (SWP) that,
under Canadian law, could not be ignored even though the initial offer was con-
sidered by management to be woefully inadequate. The AU CEO and the board of
directors, given their governance responsibilities, thought the offer could be sub-
stantially improved or even countered by another suitor—one prepared to put a
www.it-ebooks.info

http://www.it-ebooks.info/

116 Implementing Enterprise Risk Management
more realistic value on AU. The CEO believed there were three possible options
that could create additional stakeholder value:
1. AU could make its own offer to buy out SWP.
2. AU could seek a white knight to counter the SWP offer, effectively creating
an auction that would produce the highest bid (i.e., provide the greatest
possible increase in shareholder value).
3. Archer Daniels Midland (ADM) was a strategic partner and significant
stakeholder in AU that had aided UGG in its defense of the hostile takeover
attempt by Agricore Cooperative’s predecessor companies. ADM could be
offered a proposal to increase its ownership position.
The CEO and the board of directors decided upon a strategy to pursue the first
two options, which also offered the greatest flexibility to ADM.
As is usual in hostile takeovers, a team of advisers and investment bankers
was hired by AU to analyze the company’s financial position and prospects and
determine a fair value. At the same time, AU made a buyout offer to SWP that
was rejected. After the evaluation was completed, it confirmed that AU was worth
considerably more than the share-swap deal offered by SWP. The AU board of
directors, which included representatives from ADM, rejected the buyout offer.
One of the AU board members then made an overture to Richardson Interna-
tional, Canada’s next largest agribusiness, to determine its interest in acquiring
AU. Richardson International offered a friendly all-cash offer higher than the offer
from SWP. Not to be thwarted in its takeover attempt, SWP countered with a higher
all-cash offer. This had the effect of creating an auction process where the price
for the AU stock reached a level prompting ADM to make a strategic decision.
ADM could increase its holdings in AU and assume control or could sell them at a
substantial profit to shareholders, knowing that AU was going to be sold to either
SWP or Richardson International. Finally, the highest bid was an all-cash offer from
SWP.25
After the buyout was complete in 2007, SWP changed the name of the com-
bined company to Viterra, Inc., and continued to operate until being acquired by
Glencore International on January 1, 2013.26
CONCLUSION
Thomas Edison once quipped: “Vision without execution is hallucination.” Turn-
ing the organizational pyramid upside down initiated a transformation in the
company—a process starting with the formulation of a strategic plan, then trans-
forming the culture of the organization, and finally demanding execution of that
plan. Without execution, innovative ideas tend to die on the vine. While one aspect
of the organizational vision was intended to be operational—improving customer
service—another (more subtle) effect was to transform the entire culture of the
company. The cultural shift to a leadership that was aligned in their goals made
for quicker and better-informed decision making. UGG and its successor com-
pany AU did not just become more responsive to the needs of customers; the new
culture developed greater collaboration between senior and middle management
www.it-ebooks.info

http://www.it-ebooks.info/

TURNING THE ORGANIZATIONAL PYRAMID UPSIDE DOWN 117
teams, and delegated responsibility to them for their decisions. This collabora-
tive but accountable environment allowed a number of innovative solutions to
the company’s business challenges to be created: developing new (client-server)
computing, early adoption of the ERM process, the subsequent groundbreaking
risk-financing program, and the creation of UGG/AU Financial—not just indus-
try firsts that spawned imitators but also initiatives that significantly added value
to the corporation.
QUESTIONS
1. Why does a more participative management style (“tipping the pyramid over”) lead to
greater responsiveness to customers’ needs, increased accountability, and more innova-
tive solutions to challenges than a hierarchical “command and control” structure?
2. Under what circumstances might the hierarchical “command and control” structure pro-
duce superior results?
3. What particular factors do you believe led UGG/AU to be pioneers in ERM? Was it
industry/company/history/circumstances? Was it a changed organizational “culture”?
Was it good management?
ACKNOWLEDGMENTS
This chapter could not have been written without the extensive cooperation of the
following:
Peter G.M. Cox, Former Chief Financial Officer, Agricore United
Brian Hayward, Former Chief Executive Officer, Agricore United
Michael McAndless, Former Chief Risk Officer, Agricore United
George Prosk, Former Treasurer, Agricore United
NOTES
1. “Whatever the Weather,” CFO, June 2000.
2. “Outsourcing Capital,” The Economist, November 1999.
3. “United Grain Growers Ltd. (A),” Harvard Business Publishing, August 2003.
4. United Grain Growers Ltd as of December 2, 1999, Yahoo! Finance stock chart.
5. The CWB was created in 1935—with antecedents going back to before World War I—as a
mandatory producer marketing system for wheat and barley grown in Western Canada.
It was illegal for farmers under CWB jurisdiction (anywhere in Western Canada) to sell
their wheat and barley through any channel other than the CWB. The CWB became a
voluntary marketing organization only in 2012.
6. Interview with Peter Cox.
7. Agricultural Futures Markets.
8. Pulse crops are peas, beans, and lentils.
9. In 1994 a committee sponsored by the TSX published a report (the Dey Report) contain-
ing corporate governance recommendations to TSX-listed companies. In 1995 the TSX
adopted them as “best practice guidelines.” Although the guidelines were not manda-
tory, the TSX did require listed companies to disclose annually their approach to corpo-
rate governance and provide an explanation of any differences from the guidelines.
www.it-ebooks.info

http://www.it-ebooks.info/

118 Implementing Enterprise Risk Management
10. Virtually all grain purchases not matched by sales contracts, as well as sales contracts
for which the company did not have purchased grain, were hedged using derivatives on
long-established international grain exchanges, while very limited, unhedged positions
had been closely managed and supervised for many years.
11. UGG was formed in 1917 by the merger of the Grain Growers’ Grain Company, founded
in 1906, and the Alberta Farmers’ Co-operative Elevator Company of 1913.
12. The United Grain Growers Act was approved by the Canadian Parliament in 1992,
allowing UGG to become a public company with both members (the former cooper-
ative’s members) and public shareholders.
13. 1994 UGG Annual Report, Chief Executive’s Report, and interview with Brian Hayward.
14. 1995 UGG Annual Report, Chief Executive’s Report, and interview with Brian Hayward
and Peter Cox.
15. Interview with Michael McAndless.
16. “Outsourcing Capital.”
17. Interviews with Peter Cox and George Prosk.
18. A “hard cap” means that there is a fixed upper limit on the amount of risk that UGG
would absorb.
19. Interviews with George Prosk and Peter Cox.
20. Interview with Peter Cox.
21. Interviews with Peter Cox, Brian Hayward, and Michael McAndless.
22. Interviews with Peter Cox, Michael McAndless, and George Prosk.
23. Interview with Brian Hayward.
24. Interview with Peter Cox.
25. Interview with Brian Hayward.
26. Various announcements in financial media.
ABOUT THE CONTRIBUTOR
John Bugalla is Principal of ermINSIGHTS, an advisory and training firm special-
izing in enterprise risk management and strategic risk management. His experi-
ence includes 30 years in the risk management profession serving as Managing
Director of Marsh & McLennan, Inc., Willis Group, Plc., and Aon Corporation
before founding ermINSIGHTS. He led the Willis team that negotiated the inte-
grated risk program on behalf of UGG. He is the author or coauthor of numerous
articles in diverse publications such as The Corporate Board magazine, CFO maga-
zine, the National Law Review, Credit Union Management magazine, Risk Management
magazine, the Journal of Risk Management in Financial Institutions, and the Journal of
Risk Education.
www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 8
Housing Association
Case Study of ERM in a
Changing Marketplace
JOHN HARGREAVES
Managing Director of Hargreaves Risk and Strategy
This case has two main aims. The first is to help develop an understanding ofthe importance of enterprise risk management (ERM) in a charitable context,and show that modern charities are often very active organizations that face
significant risks. Second, the case aims to illustrate the need for a close relationship
between risk assessment and strategy development, particularly in sectors where
objectives are defined in social as well as in economic terms. This case features
four real-life charitable housing associations in England and Wales, each with a
different strategy and risk environment. Simple yet practical tools to assist in risk
identification and prioritization are also presented.
BACKGROUND
The UK housing market is going through a difficult period. The number of house-
holds is expanding by 250,000 per year, but the rate of house building is only half
of what it needs to be. There is a tradition of home ownership, but the banking
sector has recently not been able (or willing?) to fund further growth, and home
ownership has fallen to its lowest level for two decades. Young working people
who would previously have taken out a mortgage and bought their houses are
now turning to renting. There is an urgent need to provide ordinary working peo-
ple with good quality homes; the private rental market provides homes of mainly
low quality, and market rents are increasing to unaffordable levels.
About one-fifth of the United Kingdom’s housing is owned by housing associ-
ations, independent charities that until recently have specialized in so-called social
housing (i.e., rental accommodation for the United Kingdom’s poorest people). The
quality of this housing has been significantly improved over the past few years to
meet the United Kingdom’s Decent Homes Standard.1 There are about 2,000 asso-
ciations, of which 250 own more than 1,000 homes each. Currently, their tenants are
mainly nominated by local authorities using prioritized waiting lists. Their rents
are set at about 40 percent of market rent, and quite a high proportion of these
119
www.it-ebooks.info

http://www.it-ebooks.info/

120 Implementing Enterprise Risk Management
rents are paid from welfare payments. However, £10 billion worth of welfare cuts
are now being implemented, with a further £10 billion still in the pipeline. This,
together with a stagnant economy, means that housing associations’ tenant com-
munities are now under significant financial stress. In the past year the associations
have built a total of about 40,000 houses, mostly for rental, largely using finance
from the bond market, to the tune of over £3 billion.
The building of new social housing stock has historically been subsidized by
government capital grants, but these have now been reduced both in number
and in value, and a typical grant (with strings attached) now covers only about
15 percent of the building cost. Now only about 40 percent of the housing asso-
ciations’ house building is utilizing the small grant subsidies available under the
government’s Affordable Homes program, to be let at rents between 60 percent and
80 percent of market rent.
In recent years, housing associations have been expanding into new product
areas, including:
� Building houses for sale
� Low-cost home ownership (the association owns part of a house, on which
the tenant/owner pays a low rent, and the tenant/owner owns the rest,
which is financed by a mortgage; the tenant/owner progressively buys his
or her share from the association, and repays the mortgage, usually over a
period of 25 years)
� Market renting
� Intermediate market renting, where rent levels are set somewhere between
social and market rents, for key worker tenants such as nurses, teachers, and
police officers
� Services for elderly people, such as old persons’ homes and visiting support
services
� Nursing homes and student accommodations
� Providing services, such as building maintenance and servicing tenant
repair requests, on a contract basis for other associations
SECTOR ISSUES
Each association has its own board, with a large degree of independence. The
board members of most large associations are paid for their services, but in smaller
associations their participation is voluntary. The sector is regulated by the Homes
and Communities Agency (HCA), but only in respect of governance and viability,
not the quality of service provided. Most associations cover small local areas, but
increasingly associations are amalgamating to give them a regional, rather than
local, coverage. The boards of housing associations now have to make difficult
strategic decisions, and different associations are adopting contrasting strategies
according to their individual circumstances and risk appetites. Their environment
is now much riskier than previously, and all of the available strategies are riskier
than the typical association is used to. The choice is broadly between four generic
strategies:
1. To concentrate on continuing to provide good quality housing services to
existing social housing tenants and their replacements, in a situation where
www.it-ebooks.info

http://www.it-ebooks.info/

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 121
local authority financing is being cut by up to 28 percent and support ser-
vices are therefore likely to be cut. This policy helps those in need, reduces
leverage, and conserves resources that could be used to support a more
expansive policy in a better socioeconomic climate.
2. To invest in various social services on the borderline between the pri-
vate and public sectors with the aim of increasing human or environmen-
tal well-being, and in particular regarding employment generation and
support.
3. To expand in the affordable rent market, by using a mix of external capital
and grants, and by cross-subsidy through progressively transferring exist-
ing social-rent housing onto a higher rent level.
4. In areas of high housing demand such as London, to develop high-volume
housing for sale or at full market rent, and also to build houses where the
tenants pay a rent sufficient to allow them to accumulate a financial interest
in the property. An association, in employing this strategy, would typically
have a culture similar to that of a commercial developer.
There are a number of issues currently causing concern in the sector; in partic-
ular:
� The government currently pays housing welfare benefits to landlords where
the tenant qualifies to receive the benefit. This means that the risk of ten-
ant rent arrears is much reduced. In the future, to encourage a culture of
self-sufficiency, the government will pay benefits directly to tenants, and
expect them to pay their own rents. Only if rent arrears reach a level of two
months will the government resort to the payment of a tenant’s rent to the
landlord.
� Benefit levels are being reduced, and more pressure is being put on recipi-
ents to find work.
There is an acute housing shortage in London and the South East of England,
which the sector is struggling to meet. In the north of the country the housing
market is weak, with some economists being of the opinion that many houses are
overvalued. In the event that there is another depression or a reversion within the
present one, or a sudden increase in interest rates, then there is a danger of a down-
ward correction in house prices.
Some associations were set up several years ago to take over local authority
houses, then in poor condition, and bring them up to the Decent Homes Stan-
dard using long-term bank financing specifically tied to this (low-risk) purpose.
The Decent Homes Program was successful, with the required standard gener-
ally being attained by 2012. However, often the bank financing has covenants that
prevent the association from borrowing more money to branch out into riskier
activities without the need for refinancing their existing lending at higher inter-
est rates, typically 1.5 percent greater than their existing finance. For these associ-
ations, known as large-scale voluntary transfers (LSVTs), a decision is needed as
to whether they should stick with their knitting and limit their investment in new
houses to what they can generate internally, or bite the bullet and pay the extra
margin for new loans to fund an expansion.
www.it-ebooks.info

http://www.it-ebooks.info/

122 Implementing Enterprise Risk Management
In some respects the position of the sector is relatively stable, since the demand
for its core product would be expected to increase in adverse economic times.
However, the sector’s finances are finely balanced, with its borrowing subject to
profitability and leverage covenants, so it may be vulnerable to sudden changes in
economic conditions, and in particular:
� To an economic downturn if this were to be accompanied by a sudden fall
in house prices, since there could then be losses on houses being built for
market sale.
� To a sudden hike in interest rates, if this were not accompanied by an equiv-
alent increase in inflation. About two-thirds of the sector’s borrowing is at
fixed interest rates, thus reducing this risk. Also, the social housing rent lev-
els of a typical association are tied to the United Kingdom’s consumer price
index (CPI), so if the interest rate rise were accompanied by an increase in
inflation, as has commonly been the case in the past, the risk would also be
covered. However, there remains a chance that a sudden change in mone-
tary policy could result in interest rate increases without an accompanying
increase in inflation rates, possibly accompanied by a sudden fall in house
prices.
CHARITABLE STATUS
Housing associations are registered as charitable organizations under the UK
Charities Act of 2006, being set up to provide public benefit by relieving poverty,
developing communities, and supporting people who are in need by reason of
their age, ill health, financial hardship, or other disadvantage. Most of them make
substantial surpluses, which they retain and use for their charitable purposes. As
charities, they are exempt from paying UK corporation tax. Housing associations
often also engage in noncharitable activities such as market renting or building
houses for sale by setting up noncharitable subsidiaries, which then will gift any
profits made to the parent charity, which then exempts the subsidiary from having
to pay corporation tax. Public donations do not comprise a significant part of the
sector’s cash flow.
Sector Risks
The housing association sector is regulated by the Homes and Communities
Agency (HCA). The HCA has extensive powers to intervene if it believes an
association is being poorly governed or its viability is threatened. Most associa-
tions are highly leveraged, and the presence of an efficient regulatory activity is
viewed by the financial sector as extremely important in supporting its lending.
To date, the regulatory system has been unbelievably successful—while a num-
ber of associations have gotten into difficulties over the past 25 years, in no case
has a financial institution made lending losses, and there has been only one case
of serious default. The regulator adopts a co-regulatory approach, which “gives
providers full responsibility for managing their own businesses, including their
own risks. The role of the regulator is to seek assurance on how those risks are
being managed.”2
www.it-ebooks.info

http://www.it-ebooks.info/

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 123
The regulator’s view of the financial risks facing the sector is that:
The model of social housing that has existed for approximately 25 years is chang-
ing. Boards of providers more than ever need to be aware of the risks and choices
they face in order to meet their objectives. They also need to understand the interac-
tion between the various risks and their overall “portfolio” impact. An approach
to risk that considers issues in isolation is unlikely to be effective in the current
operating environment. . . . The risks can be summarized as:
� Asset-related risks, including risks associated with:
� Development
� Diversification into other activities
� Exposure to the housing market
� Maintaining existing stock
� Liability-related risks, including risks associated with:
� Existing debt (gearing, loan covenant, and repricing issues)
� Mark-to-market exposure
� IFRS
� New forms of debt
� Income-related risks, including risks associated with:
� Affordable rent
� Welfare reform
� Supporting people
� Cost-related risks, including risks associated with:
� Pension issues
� Differential inflation rates
The relative importance of each of these risks and their interaction with each other
will depend on the precise business models and stock holding patterns of individ-
ual providers.
SOME USEFUL METHODOLOGY
The following are some notes on two risk techniques that have been found to be
useful in the sector.
Risk Appetite Determination
The sector has had a number of cases where associations have taken on rather more
risk than their risk capacity allowed. As part of the process of establishing the con-
text for risk management in the sector, answering the following questions has been
found to be helpful:
Q1: How much risk do we think we are taking (risk perception)?
Q2: How much risk are we actually taking (risk exposure)?
What evidence have we got that the assessment is correct? If there are gaps,
biases, or incorrect assessments in the risk map, our perception will be
incorrect.
Q3: How much risk do we usually like to take (risk propensity/culture)?
If this is less than Q1, then we will feel uncomfortable.
www.it-ebooks.info

http://www.it-ebooks.info/

124 Implementing Enterprise Risk Management
Exhibit 8.1 Sample Probability Scale
Probability Score Description Range
5 Very high More than 90%
4 High 31% to 90%
3 Medium 11% to 30%
2 Low 3% to 10%
1 Very low Less than 3%
Q4: How much risk could we safely take (risk capacity)?
This should be bigger than Q1, Q2, and Q3. It mainly depends on financial
strength and covenants, but also a view of response speeds should things
start to go wrong.
Q5: How much risk do we think we should be taking (risk attitude)?
We may feel we should be doing things but we don’t currently have the
capacity to do them.
Q6: How much risk do we actually want to take (risk appetite)?
This is perhaps a compromise!
Q7: How do we set controls and limits across products and parts of the busi-
ness, so that we can be confident that our total risk appetite is not exceeded
(risk limits)?
Risk Assessment Methodology
There are technical difficulties in assessing the risks in housing associations, largely
concerned with their mix of financial and social objectives. A successful approach
to risk assessment for the sector has been developed, as described in Chapter 13 of
Fraser and Simkins (2010) and summarized in Exhibits 8.1 and 8.2.
It is difficult to assess a risk that has several types of impact, but the task is
considerably simplified if you use a clear set of criteria3 such as those given in
Exhibit 8.2.
When using the scale in Exhibit 8.2 to assess a risk, one should decide which
is the highest type of impact and make the assessment based on the assessed level
of this type of impact. Thus if a risk has mainly staff impact, and many staff are
significantly affected, then the risk would be recorded as impact score 4. Similarly,
if another risk would result in major reputational damage, the score would be 4.
However, if a risk has two or more types of impact at the same level, then the score
would be one degree higher (i.e., a score of 5 in the example).
FOUR ASSOCIATIONS
The case considers the strategy choice, risk analysis, and risk appetite of four asso-
ciations:
1. Large London association (London & Quadrant, 70,000 housing units)
This is one of the largest associations with a very strong financial
position. It is following an aggressive development policy with a mix of
www.it-ebooks.info

http://www.it-ebooks.info/

E
xh
ib
it
8.
2
Sa
m
pl
e
Im
pa
ct
Sc
al
e
Im
p
ac
t
S
co
re
D
es
cr
ip
ti
on
S
tr
at
eg
ic
Fi
n
an
ci
al
%
of
Tu
rn
ov
er
C
u
st
om
er
s
an
d
S
ta
ff
R
ep
u
ta
ti
on
al
L
eg
al
/R
eg
u
la
to
ry
5
V
er
y
hi
gh
M
aj
or
im
pa
ct
on
d
ir
ec
ti
on
of
bu
si
ne
ss
A
bo
ve
10
%
C
om
pu
ls
or
y
tr
an
sf
er
of
as
se
ts
4
H
ig
h
M
aj
or
im
pa
ct
on
im
po
rt
an
t
bu
si
ne
ss
ob
je
ct
iv
e
3.
1%
to
10
%
Si
gn
if
ic
an
ti
m
pa
ct
on
m
an
y
cu
st
om
er
s
or
st
af
f
M
aj
or
ad
ve
rs
e
pu
bl
ic
it
y
an
d
ex
te
rn
al
in
te
re
st
w
it
h
d
am
ag
e
to
re
pu
ta
ti
on
an
d
/
or
lo
ng
-t
er
m
im
pa
ct
Pr
os
ec
ut
io
n/
re
gu
la
to
ry
su
pe
rv
is
io
n
Si
gn
if
ic
an
tr
es
ou
rc
e
to
re
ct
if
y
3
M
ed
iu
m
N
ot
ic
ea
bl
e
im
pa
ct
bu
tb
us
in
es
s
st
ill
on
co
ur
se
1.
1%
to
3%
N
ot
ic
ea
bl
e
im
pa
ct
L
on
ge
r-
te
rm
ad
ve
rs
e
pu
bl
ic
it
y,
lo
ca
lly
co
nt
ai
ne
d
L
os
s
of
re
gu
la
to
ry
ap
pr
ov
al
2
L
ow
M
in
or
im
po
rt
an
ce
0.
3%
to
1%
M
in
or
or
sh
or
t-
te
rm
pr
ob
le
m
s
Sh
or
t-
te
rm
lo
ca
l
ad
ve
rs
e
pu
bl
ic
it
y
M
or
e
se
ri
ou
s
br
ea
ch
bu
tn
o
lo
ng
-t
er
m
im
pl
ic
at
io
ns
1
V
er
y
lo
w
L
es
s
th
an
0.
3%
Im
pa
ct
bo
th
m
in
or
an
d
sh
or
t-
te
rm
N
o
ad
ve
rs
e
pu
bl
ic
it
y
M
in
or
br
ea
ch
of
le
ga
l/
re
gu
la
to
ry
re
qu
ir
em
en
ts
125
www.it-ebooks.info

http://www.it-ebooks.info/

126 Implementing Enterprise Risk Management
intermediate rent, market rent, and houses for sale in order to meet the
expanding housing needs of London and the prosperous South East. It has
invented a number of innovative financial instruments and renting regimes
to make this high rate of expansion possible.
2. Medium-sized South Wales association (RCT Homes Limited, 10,000 hous-
ing units)
Based in the Welsh valleys to the north of Cardiff, an area of acute
depression, this association has set up a number of social enterprise sub-
sidiaries to help provide employment in the area. The association is also
participating in a risky joint venture hoping to build 1,000 units mainly in
the northern hinterland of Cardiff, the prosperous Welsh capital.
3. Specialist association (Ability Housing Association, 550 housing units)
This association provides housing and support services to disabled peo-
ple living in the South of England. It works in partnership with other agen-
cies to help deliver flexible and tailored housing and support for people
who want to live more independently. Its housing stock comprises mostly
either wheelchair-standard housing or supported housing for people who
need additional care or support.
4. Medium-sized association in the prosperous corridor to the west of London
(GreenSquare Group, 11,000 housing units)
The GreenSquare Group was originally formed in 2008 from two asso-
ciations (Westlea Housing Association and Oxford Citizens Housing Asso-
ciation). Another Oxford-based association, Oxbode, joined the Group in
November 2012. The Group has achieved an improvement in administrative
efficiency and the development of product expertise, with a mixed portfolio
of housing product lines and support activities.
ASSOCIATION A: LONDON & QUADRANT
Quadrant Housing Association was set up in 1963 by a group of young profession-
als who found out about the plight of the homeless in London, bought a house,
and converted it into three flats. Initially the association operated from a church
crypt, but by 1972 it had its own office and a portfolio of 1,300 homes. In 1973 it
merged with the London Housing Trust, which had been set up in 1967, and by
1979 London & Quadrant (L&Q) had 6,000 homes. Quadrant Housing Finance
was set up as a subsidiary of L&Q in 1997 to raise funds in the capital markets,
and the expansion continued. L&Q now owns and manages about 70,000 homes
in London and the South East and employs 1,200 staff.
Mission Statement
Our mission is: Creating places where people want to live.
For us that means two things:
1. Maximising resident satisfaction with our homes, services, and neighbour-
hoods.
2. Responsible growth through new, sustainable investment models and new
housing options that increase choice and mobility.
www.it-ebooks.info

http://www.it-ebooks.info/

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 127
Both of these are vital to our continued success as the leading provider of affordable
homes and services in London and the South East.4
Perceived Risks
The Board considers the following risks the most likely to affect future performance
and our ability to achieve our five-year plan:
� Welfare reform: L&Q has allocated time and resources to understand the
longer-term risk of welfare reform. We are working with local authorities
to identify residents who will be affected and contacting them to ensure
they are aware and prepared. Our focus has now turned to managing the
transition. This includes targeting higher risk accounts, the recruitment of
additional staff to deal with increased debt, and the creation of a financial
inclusion team to support residents.
� Land cost inflation: We have embarked on a progressive development strat-
egy to give us the flexibility to adapt in a fluid marketplace. Returns from
private sale and rent portfolios reduce the impact of increased land costs on
our affordable housing pipeline. L&Q has adopted a shared risk approach,
where appropriate, through joint ventures to counter the impact of land cost
inflation.
� Sales/mortgage availability: We adopt a bespoke marketing and sales strat-
egy for each new development and undertake scenario modelling based on
revenue and cost fluctuation. We work with mortgage lenders to ensure
potential customers have access to advice on how much they can borrow
and the range of products available. We also undertake market research to
ensure the products offered meet market requirements.
� Withdrawal of capital grant funding beyond 2015: We have developed a
sustainable cross-subsidy model for new homes, supported by our annual
surplus. Our development strategy assumes no additional capital grant.
� Health and safety: A dedicated health and safety team supports all of L&Q
activities. . . . The Group Board receives an annual report on progress
against our health and safety strategy.
� Business continuity: We have effective IT and logistical back-up arrange-
ments in place to ensure business continuity following a major event such
as a fire. In particular L&Q has a disaster recovery data centre. This provides
real time data replication along with capabilities for hosting our telephony
and email in the event of a major incident.
� Protection of charitable assets: Our financial strategy includes sensitiv-
ity analysis and performance indicators. These demonstrate that non-
charitable activities do not place our charitable assets at risk. All non-
charitable projects require Board approval and include exit plans. L&Q will
respond to regulatory thinking and requirements as they develop.
� Rent control: L&Q is working with Shelter on its Stable Rental Contract.
This involves market rent increases pegged at a percentage over CPI or RPI
(Retail Price Index) combined with longer-term (probably five year) tenan-
cies. In the worst scenario, current exposure to market rent is limited as a
proportion of total housing stock. A greater risk relates to further rent con-
trol for existing social rented homes. Any adverse change would be met
with a reduction in our development appetite.
� Property prices: Savills predicts zero percentage growth in London during
2013 but over 25 percent growth over the next four years. L&Q’s financial
www.it-ebooks.info

http://www.it-ebooks.info/

128 Implementing Enterprise Risk Management
strategy tests a worst case scenario twice yearly and concludes that a 25
percent reduction in house prices will not have a material effect on our
covenants. Whilst property prices have fallen by more than 25 percent once
over the last 30 years, and taken nearly a decade to recover, L&Q is a long-
term property investor and able to withstand such events. We are able
to delay construction and move completed homes into alternative tenures
rather than sell at a loss. Finally we may also see a fall in land prices as an
opportunity to invest for the future.
� Impact of austerity/welfare reform on resident satisfaction: Welfare reform
combined with continued austerity measures could have an adverse impact
on the outlook of residents and their general satisfaction. Resident satisfac-
tion is a top priority for L&Q. We have put in place a service improvement
plan that will deliver sustainable improvements through investment in our
social mission, our culture, systems and process change.
The summarized financial statements of London & Quadrant for the previous
five years are presented in Exhibit 8.3.
Choices Made in 2012/2013
To help relieve London’s housing shortage, the size of the L&Q development pro-
gram has been increased in the past year from £1.25 billion to £2 billion, and there
are now 12,000 homes in the program, of which £250 million is for 1,000 homes
for rent at market rates. This represents a quickly accelerating growth rate—in
2012/2013 L&Q completed 1,444 new homes, 952 of which were for social rent,
25 were for affordable rent, 222 were low-cost home ownership homes, 201 were
for market sale, 10 were for private rent, and 34 were for intermediate rent. L&Q’s
in-house contractor, Quadrant Construction Services, handled over 231 of these
homes, with a further 465 in progress at year-end.
In 2011 L&Q committed £100 million to the newly launched L&Q Foundation
to tackle the disadvantaged by supporting projects that help people access train-
ing and employment, give opportunities to young people, provide guidance and
support with managing finances, and build stronger communities.
In 2012/2013, over 4,000 people benefited from activities supported by the
Foundation; £10 million was spent as follows:
� £5.6 million on community activities
� £1.9 million on giving residents financial advice and supporting Citizens
Advice Bureau and Credit Unions
� £1.4 million on schemes to increase resident employability
� £1.1 million on youth schemes
ASSOCIATION B: RCT HOMES
RCT Homes Limited is the largest social landlord on Wales and winner of Business
in the Community’s Welsh Company of the Year 2012 Award. RCT is based in
Pontypridd, in the Welsh county borough of Rhondda Cynon Taf, situated at the
confluence of the Rhondda and Cynon Taff valleys. The town is famous for its
old bridge, which, when it was constructed in 1756, had the longest single-span
www.it-ebooks.info

http://www.it-ebooks.info/

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 129
Exhibit 8.3 Financial Performance of London & Quadrant
Panel A: Income and Expenditure Account
Income and expenditure account
(£ million) 2013 2012 2011 2010 2009
Turnover 457 368 327 330 306
Operating costs and cost of sales (238) (243) (240) (276) (224)
Operating surplus 181 144 89 87 66
Net interest charge (70) (65) (62) (43) (41)
Surplus on disposal of assets 11 16 17 17 12
Taxation (4) — — — —
Surplus for the year after tax 118 95 44 61 37
Panel B: Balance Sheet
Balance sheet (£ million) 2013 2012 2011 2010 2009
Housing properties at cost less
depreciation 4,787 4,618 4,411 4,247 4,023
Social housing and other grants (2,625) (2,564) (2,515) (2,336) (2,215)
Subtotals 2,162 2,054 1,896 1,911 1,808
Other tangible fixed assets and
investments 144 51 55 53 28
Net current assets 395 340 457 355 196
2,701 2,445 2,408 2,319 2,032
Loans due after one year 1,877 1,749 1,779 1,880 1,667
Other long-term liabilities 249 216 186 28 12
Cash flow hedge reserve (93) (77) (24) (28) (42)
Revenue reserve 668 557 467 439 395
2,701 2,445 2,408 2,319 2,032
Panel C: Cash Flow Statement
Cash flow statement (£ million) 2013 2012
Net cash inflow from operating
activities 141.3 123.3
Interest paid/received (93.1) (83.1)
Capital expenditure
House construction and purchase (146.5) (177.2)
Capital reinvestment in existing
stock (49.9) (70.2)
Capital grants received 57.4 65.2
Purchase of other assets (95.8) (1.3)
Sale of fixed assets 26.5 36.1
Subtotal (208.3) (147.4)
Cash outflow before financing (160.1) (107.2)
Cash withdrawn from term deposits 56.9 26.2
Financing
Loans received 250.0 —
Loans repaid (135.5) (3.4)
Increase/(decrease) in cash and
cash equivalents 11.3 (84.4)
(continued)
www.it-ebooks.info

http://www.it-ebooks.info/

130 Implementing Enterprise Risk Management
Exhibit 8.3 (Continued)
Panel D: Financial Ratios and Statistics
Financial ratios and statistics 2013 2012 2011 2010 2009
Operating margin on social
housing lettings 46% 46% 34% 37% 31%
Operating margin—all
activities 40% 39% 27% 26% 22%
Interest cover—excl asset
sales & disposals 212% 211% 142% 202% 161%
Interest cover—incl asset
sales & disposals 277% 244% 170% 242% 190%
Net gearing 56% 53% 51% 53% 56%
Operating cost per unit
managed £ 2,900 2,700 3,200 3,100 3,300
Net debt per unit managed £ 25,400 23,700 22,600 23,400 22,700
Homes managed (000’s) 70.1 68.6 67.1 62.1 60.6
Estimated open market value
of homes £ bn 12.0 10.8 10.3 9.4 8.5
Panel E: Product Profitability
2013
2013 Operating
Turnover Surplus
Product profitability £m £m
Social housing
General needs 274.7 131.9
Supported housing 22.5 5.9
Intermediate market rent 16.2 8.0
Low-cost home ownership 49.7 19.6
Affordable rent 4.4 (0.3)
Other social housing
activities
7.1 (4.8)
Community investment 0.2 (9.8)
374.8 150.5
Other
Outright sales 76.4 27.2
Market rent 2.6 1.4
Student accommodation 2.5 1.0
Commercial 0.5 0.5
Total 456.8 180.6
Disposal of fixed assets 11.5
Interest payable/receivable (69.3)
Other (0.3)
Tax (4.4)
Surplus for year after tax 118.1
www.it-ebooks.info

http://www.it-ebooks.info/

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 131
stone arch in the world. The coal mines that formerly were the basis of the area’s
economy were closed in the 1980s, and it has been difficult to attract new industry.
In Rhondda Cynon Taf, the unemployment rate and the proportion of people of
working age claiming benefits remain about 50 percent greater than in other parts
of the United Kingdom.
RCT Homes was set up in 2007 to take over the ownership and management
of more than 10,000 homes in the borough, which had been allowed to get into bad
condition. In particular, over 30 percent of them did not meet the Welsh Housing
Quality Standard, which the Welsh government said should be satisfied by the end
of 2012. The performance of some services that tenants had been receiving was also
well below the standard they had a right to expect.
RCT is a community mutual organization with nearly 5,000 members and a
board comprising 15 people: five tenants, five members nominated by the Rhondda
Cynon Taff Council, and five independent members. Board members are not
paid. RCT now employs more than 500 staff and has four unregistered subsidiary
companies—Meadow Prospect, Grow Enterprise Wales (GrEW), Homeforce, and
Porthcwlis.
At transfer, funding was agreed from the government and from Lloyds Bank
to pay for the required works, and 86 performance promises were made to ten-
ants. Eighty promises, including achievement of the Welsh Housing Quality Stan-
dard, were signed off as delivered by the RCT Homes Members’ Forum and the
local authority ahead of schedule in December 2012, and RCT has written to every
household to inform tenants and invite challenge.
The RCT Subsidiaries5
RCT has a strong wider social agenda—encompassing financial, social, and digital
inclusion and employment and addressing health inequalities—aimed at building
individual and community capacity to improve tenancy and neighborhood sus-
tainability. Some of these aims are planned to be realized through the four RCT
subsidiaries.
RCT Homes has major pipeline proposals for development of new homes via
its new development subsidiary, Porthcwlis, working with the Cardiff developer,
Bellerophon. The proposals are at an early stage of development, and no homes
have yet been completed. A new financing and delivery vehicle has been pro-
duced, which has secured £1 billion of private sector finance and which, it is hoped,
will enable the public sector, housing associations, and private developers to come
together to build many affordable homes without the need for capital grant fund-
ing from the Welsh government. An initial development of four homes, the first of
a pilot for 30 homes at Cwmbach in the Cynon Valley, is now in progress.
Meadow Prospect, RCT’s regeneration charity, delivers community-
enhancing regeneration projects by working with partner organizations. These
support three core objectives:
1. Community capacity building projects, including youth work and sup-
ported employment programs
2. Community-based renewable energy projects
3. Social enterprise development
www.it-ebooks.info

http://www.it-ebooks.info/

132 Implementing Enterprise Risk Management
Grow Enterprise Wales (GrEW) is an award-winning social enterprise sub-
sidiary of Meadow Prospect that aims to move local people closer to the workplace
by offering work experience and basic life skills training.
Homeforce was set up in 2010 as a subsidiary to carry out annual gas safety
checks, which are mandatory under current safety legislation, and gas-based
responsive repairs. RCT Homes Group Board agreed in 2012 that Homeforce
would expand to become the sole contractor for boiler and heating installations
and would undertake half of the electrical improvement works program. Home-
force also became the appointed contractor for the completion of the power flush-
ing program, which forms part of the long-term maintenance program of the cur-
rent stock in RCT Homes’ properties.
The Sheltered Housing Remodelling Programme, being achieved within the
parent company is a major program for the remodeling of RCT’s sheltered housing
accommodation for the elderly. This continued in 2012/2013 with the commence-
ment of works in seven schemes. In 2012/2013, £9.2 million was spent, with a total
of £12.4 million having been spent since transfer on improving sheltered accom-
modation. A further two schemes are planned to commence in 2013/2014.
Perceived Risks
The quotations that follow are from the RCT Homes 2012/2013 Group financial
statements:
During 2012 the group risk map was developed to ensure it has a greater strategic
focus. It identifies the following risks and challenges to the Group:
� Welfare Reform—As previously stated the changes proposed to welfare
benefits will significantly change the UK housing sector and will place
increased financial pressure on tenants and subsequently us. Direct pay-
ments to tenants increase the risk of our bad debt provision increasing and
we will need to find innovative ways to keep cash collection rates at an
acceptable level.
� Rent Restructure—The consultation document issued by Welsh Govern-
ment in 2011 indicated that our rent envelope is lower than the current aver-
age rents charged across the borough, resulting in lower rent increases than
those currently included in the business plan. The implementation of the
new regime has been delayed until April 2014. This risk coupled with Wel-
fare Reform has the potential to have a major impact on the rental income
of the Group.
� Sheltered Remodelling Programme—As the project continues we need to
ensure specifications are clear and build costs remain within budget. We
need to ensure the preferred models are future proofed and fit for purpose
whilst at the same time ensuring value for money. Active financial manage-
ment, planning, and tenant input will be key to the success of this project.
� Impact on New Build to the Group—We currently have permission to pilot
200 properties through the framework operated by Porthcwlis. Any further
increase in volumes will need consent from our funders.
� Expansion of Homeforce—As Homeforce expands into new work streams
and begins to operate outside of the Group, we need to ensure growth is
manageable in terms of resources and working capital. Asset investment
www.it-ebooks.info

http://www.it-ebooks.info/

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 133
will need to be closely managed to ensure cash does not become over
committed and profitability on contracts is maintained.
� Long-Term Financial Viability of GrEW—Work is in progress to reduce
costs within GrEW and expand its customer base to make the business more
financially secure. During this time Meadow Prospect will continue to sup-
port its subsidiary.
The summarized financial statements of RCT Homes for the previous five
years are presented in Exhibit 8.4.
RCT Homes entered into a value-added tax (VAT)6 shelter coincident with the
date of transfer of the housing stock, to carry out an agreed schedule of refurbish-
ment works to the properties. The value of these works was £359 million. The cost
to the borough council of contracting for these works to be undertaken was offset
Exhibit 8.4 Financial Performance of RCT Homes
Panel A: Income and Expenditure Account
Income and expenditure account (£
million)
2013 2012 2011 2010 2009
Turnover 45.9 44.6 43.6 40.0 36.6
Operating costs (33.0) (38.5) (29.6) (28.0) (27.1)
Operating surplus 12.9 6.1 14.0 12.0 9.5
Net interest charge (1.4) (0.5) (0.0) (0.5) 0.3
Surplus on disposal of assets 0.5 0.4 0.5 0.5 1.8
Actuarial (loss) on pension scheme (0.1) (3.8) (4.0) (1.3) (6.2)
Surplus for the year after tax 11.9 2.2 10.4 10.7 5.4
Panel B: Balance Sheet
Balance sheet (£ million) 2013 2012 2011 2010 2009
Housing properties at cost less depreciation
and grant 96.6 75.1 46.4 27.7 11.8
Other tangible fixed assets and investments 1.3 1.6 1.9 2.3 2.5
Net current assets/(liabilities) (0.8) (1.8) 1.6 (10.6) (7.6)
97.1 74.9 49.9 19.4 6.7
Loans due after one year (47.0) (37.0) (18.0) (5.0) (3.0)
Other long-term liabilities (pensions) (7.2) (6.8) (3.1) 0.0 0.0
Net assets 42.9 31.1 28.8 14.4 3.7
Panel C: Cash Flow Statement
Cash flow statement (£ million) 2013 2012
Net cash inflow from operating activities 16.3 9.9
Interest paid/received (1.5) (1.0)
Capital expenditure
Improvement works on properties (27.0) (33.1)
Social housing and other grants 1.6 3.7
Purchase of other assets (0.3) (0.3)
Sale of fixed assets 0.5 0.5
Subtotal (25.2) (29.2)
Cash outflow before financing (10.4) (20.2)
Loans advances received 10.0 19.0
(Decrease) in cash and cash equivalents (0.4) (1.2)
www.it-ebooks.info

http://www.it-ebooks.info/

134 Implementing Enterprise Risk Management
against an equal increase in the purchase price of the stock paid to the borough
council by RCT Homes. This transaction is not reflected in the financial statements
in accordance with Financial Reporting Council (FRS) 5,7 reporting the substance
of transactions over the legal form. The works contracted are to be carried out over
an envisaged 15-year period and are being recognized as they are undertaken, in
accordance with the accounting policy for major, cyclical, and responsive repairs.
In the event RCT Homes does not complete the work specified, the development
agreement may be terminated at no financial loss to RCT Homes.
At April 2013, it was envisaged that there will be a further £136 million of
expenditure under the remaining nine years of the VAT shelter.
ASSOCIATION C: ABILITY HOUSING ASSOCIATION
Ability Housing Association is a specialist association that provides housing and
support services to disabled people living in the South of England. It works in part-
nership with local authority housing, social services, and Supporting People teams,
the Homes and Communities Agency, and mainstream housing associations to
help deliver flexible and tailored housing and support for people who want to live
more independently. The Ability Housing Association operates in London, Essex,
Oxfordshire, Berkshire, Hampshire, Surrey, Dorset, and West Sussex. Its housing
stock comprises mostly either wheelchair-standard housing or supported housing
for people who need additional care or support.
The association was set up in 1999 when the Cheshire Foundation Housing
Association changed its name and relaunched as Ability. At this point it had 285
homes under management, employed 47 staff, and had a turnover of £1.86 million.
In 2003 the national Supporting People program began, and Ability entered into
Supporting People contracts with 18 local authorities. In 2004 Ability set up its
first mental health support services, in the London borough of Merton, and in 2004
Ability was rated as the second most efficient registered social landlord (RSL) in
England. In 2007 it was selected to provide mental health support services in Surrey
and new supported housing in Swindon. Over the next 10 years it grew steadily,
and in 2009 the REAP resettlement agency transferred its activities to Ability. By
2012 Ability had over 550 homes under management, and had a turnover of £8.8
million. In 2012, for the second year running, Ability was recognized as one of the
Sunday Times’ 100 Best Not-for-Profit Organisations to Work For.
In its corporate plan Ability states its values as follows:
Our pursuit of our visions is underpinned by the following values which permeate
the whole organisation:
We focus on ability not disability
– We focus on what each person can do—on their ability—rather than what they
can’t do. We work together with our customers to help them overcome barriers to
their own personal independent living goals.
We engage actively for feedback
– We engage actively with our customers, colleagues, and partners to seek feed-
back that helps us to understand how we can improve what we do and how we
do it.
www.it-ebooks.info

http://www.it-ebooks.info/

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 135
We value difference
– We respect and value the individuality of each person; we believe that differences
are strengths and that diversity enriches our lives and communities.
We demonstrate integrity
– We encourage a culture of openness, honesty, and personal accountability; we
respond to a challenge by asking ourselves what we can do to help and always
deliver on our promises.
Ability provides the following services:
Housing with Support, to promote independent living, for example:
� Assistance with learning independent living skills
� Advice and assistance with claiming welfare benefits and housing benefit
� Advice and assistance with budgeting and managing bills
� Advice on aids and adaptations
� Assistance with reporting repairs and managing tenancies
� General counseling and support with day-to-day living
� Assistance with arranging personal care and contacting other agencies
involved in care and welfare
Most of the Housing with Support is provided in self-contained flats or bun-
galows, although some of it is in shared housing or studio apartments with some
shared facilities.
Floating Support, similar support to that just described but provided without
housing. This service helps people with physical disabilities, learning disabilities,
or mental health–related support needs to manage their homes.
The Accessahome database, to enable disabled people, housing associations,
and local authorities to make better decisions about housing. Accessahome records
details about accessible features of properties—for example, if a property has been
purpose-built to a wheelchair standard, lifetime homes standard, or mobility stan-
dard, or it has been specially adapted for a disabled person, for example, with a
stair lift, level-access shower, or adapted kitchen. The database offers a matching
service for both landlords and applicants and support information for disabled
people, so that a landlord with an accessible or adapted property that is available
for letting can search the database for applicants whose needs match the features
of the property.
Perceived Risks
Extracts from 2012 Annual Report:
The removal of the Supporting People “ring-fence,”8 coupled with extreme fund-
ing cuts faced by local authorities, has cast doubt on the future of many supported
housing and social care services. At Ability we place faith in maintaining the qual-
ity and value for money of services and being able to demonstrate positive out-
comes for customers and commissioners.
www.it-ebooks.info

http://www.it-ebooks.info/

136 Implementing Enterprise Risk Management
Exhibit 8.5 Financial Performance of Ability Housing Association
Panel A: Income and Expenditure Account
Income and expenditure
account (£ million) 2012 2011 2010 2009 2008
Turnover 8.8 8.6 8.6 7.4 5.6
Operating costs and cost of sales (7.6) (7.4) (7.3) (6.5) (4.9)
Operating surplus 1.2 1.2 1.3 0.9 0.7
Net interest charge (0.4) (0.2) (0.1) (0.1) (0.1)
Surplus on disposal of assets 0.1 0.4 — — 0.1
Taxation — — — — —
Surplus for the year after tax 0.9 1.4 1.2 0.8 0.7
Panel B: Balance Sheet
Balance sheet (£ million) 2012 2011 2010 2009 2008
Housing properties at cost less
depreciation & grant 18.9 16.7 13.0 8.8 7.2
Other tangible fixed assets and
investments 1.1 1.1 1.1 0.5 0.5
Net current assets 0.8 0.2 0.8 0.4 0.3
20.7 20.0 14.9 9.7 8.0
Creditors due after more than
one year
(9.9) (8.1) (6.6) (2.5) (1.6)
Other long-term liabilities — — — — —
10.8 9.9 8.3 7.2 6.4
We are pleased therefore to have been able to agree with local authorities in
London Borough of Hillingdon and West Sussex extensions to some of our
most valuable services. Sadly this has not always been the way and, following a
competitive tendering exercise, some of our floating support services in Slough
have been transferred to another provider. . . .
Again this year we have seen the loss of some of our supporting people contracts
with others reducing in value. We expect further reductions in the years ahead. By
winning new business through competitive tender processes we have been able to
replace a part of the lost income.
The summarized financial statements of Ability Housing Association for the
previous five years are presented in Exhibit 8.5.
ASSOCIATION D: GREENSQUARE
Recently, locally based housing associations have been amalgamating together to
form regional groups. Once the amalgamation has been accomplished, the groups
often organize themselves on a product and activity basis, invest in innovative new
products, develop vigorously, and continue to absorb further local associations.
GreenSquare Group Limited is typical of such a group, operating across
Wiltshire, Oxfordshire, Gloucestershire, Swindon, and the surrounding areas.
GreenSquare was originally formed in 2008 from two associations (Westlea
www.it-ebooks.info

http://www.it-ebooks.info/

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 137
Housing Association and Oxford Citizens Housing Association). Another Oxford-
based association, Oxbode, joined the GreenSquare Group in November 2012.
GreenSquare now manages over 11,000 properties.
The strategy just described allows the reduction of administration costs and
the development of product expertise. GreenSquare has the following:
� Development construction services provided by its in-house subsidiary
Tidestone
� Property investment and maintenance of public open spaces undertaken by
its commercial subsidiary Oakus
� Gas servicing and renewable energy business undertaken by a new acquisi-
tion, GW Sparrow & Company Ltd., based in Swindon
GreenSquare Group now has the following key business streams:
� General needs housing for rent, primarily by families who are unable to rent
or buy at open market rates
� Supported housing and housing for older people who need additional
housing-related support or additional care
� Low-cost home ownership, primarily shared ownership whereby residents
purchase a share in the equity of their homes and pay rent to the association
on the remainder
� Building large volumes of new affordable housing and a lead develop-
ment partner under the Homes and Communities Agency (HCA)’s National
Affordable Housing Programme (NAHP)
� A newly registered housing association, GreenSquare Community Hous-
ing Association, was set up in 2012. This will build houses financed by a
£32 million sale-and-leaseback financing from Aviva, which will enable the
Group to respond to new development opportunities as well as continuing
to deliver its existing HCA program.
� The GreenSquare Academy has recently been set up to offer training and life
skills development to residents, as many associations are becoming increas-
ingly involved in education and vocational training.
Amalgamated organization structures carry a danger of reduced resi-
dent involvement; GreenSquare therefore set up three communities boards in
2012/2013 to ensure that its services and how the neighborhoods are run are kept
under close review. Last year £0.9 million was allocated to support community
projects. GreenSquare also has a Resident Scrutiny Panel to carry out inspections
and engage directly with residents.
Objectives and Strategy
GreenSquare’s mission is seen as “housing people, building communities.” The
achievement of this is underpinned by four key vision statements:
1. Develop good quality housing to meet a wide and growing range of needs.
2. Create places where people want to live, and support a good quality of life.
www.it-ebooks.info

http://www.it-ebooks.info/

138 Implementing Enterprise Risk Management
3. Provide the range and quality of services our customers want.
4. Grow our activities and improve our financial strength and sustainability.
The following list of key risks is drawn from the 2012/2013 GreenSquare
Group Limited annual report:
Key Risks Comment
Current economic climate and
impact on public sector
funds and the housing
market
The continued restraints on government spending,
changes to the housing benefit rules, along with the
wider economic downturn, have been identified as
key risks to the group. Such changes are likely to
impact on the group’s ability to deliver its planned
development program and may also affect core
activities.
Delivery of development
program
Successful delivery of the program depends on
continued support from the HCA for the Group, as
well as the ability and willingness of development
contractors to continue to build the Group’s
schemes in a challenging economic environment.
Availability of finance Availability of loan finance is key to a thriving
housing market, with potential impact on the
Group’s ability to deliver its development program
as well as difficulty for potential shared ownership
purchasers to raise finance.
Low demand for housing
properties developed for
sale
The Group’s development program includes low-cost
home ownership. Success depends on demand for
the properties. Low demand in the housing market
generally has an impact on low-cost home
ownership schemes.
Rise in final salary pension
scheme liabilities to
unaffordable level
The Group could face significant liabilities for
meeting pension fund deficits. The Group’s
contributions to the fund may need to increase
significantly in order to fund the scheme.
Change in government policy
or new legislation
Such changes could have significant impact on the
sector and therefore the operations of the Group
(e.g., changes to the planning or tax regimes may
increase costs of new developments, reducing
scheme affordability).
Performance failure Performance failures in services to our customers
would affect the Group’s rating with the HCA and
its reputation in the sector. Failure to deliver its
development program may result in a withdrawal
of capital grant.
Loss of key staff Retention of quality staff and managers is key to
successful delivery of the Group’s business plans.
Selected summarized financial statements of GreenSquare Group Limited
from the previous five years are presented in Exhibit 8.6.9
www.it-ebooks.info

http://www.it-ebooks.info/

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 139
Exhibit 8.6 Financial Performance of GreenSquare Group
Panel A: Income and Expenditure Account
Income and expenditure account (£ million) 2013 2012 2011 2010 2009
Turnover 56.2 48.5 45.0 45.3 45.7
Operating costs and cost of sales (43.1) (37.2) (35.0) (35.0) (36.8)
Operating surplus 13.1 11.3 10.0 10.3 8.9
Net interest charge (11.0) (9.5) (9.2) (8.4) (7.7)
Surplus on disposal of assets 0.8 0.3 0.1 0.2 0.1
Other income (note 1) 10.5
Taxation 0.1 (0.3) (0.1) (0.02) (0.1)
Surplus for the year after tax 13.5 1.8 0.8 2.1 1.0
Panel B: Balance Sheet
Balance sheet (£ million) 2013 2012 2011 2010 2009
Housing properties at current valuation 545.2 384.5 350.6 343.2 301.5
Other tangible fixed assets and investments 6.3 6.2 5.7 5.7 5.7
Net current assets 20.3 3.3 (4.1) 4.3 6.9
571.8 394.0 352.2 353.2 314.1
Loans due after one year (281.6) (237.3) (211.3) (210.3) (194.1)
Other long-term liabilities (6.7) (6.7) (5.1) (10.2) (4.6)
283.3 150.0 135.8 132.7 115.4
Panel C: Cash Flow Statement
Cash flow statement (£ million) 2013 2012 2011 2010 2009
Net cash inflow from operating activities 20.9 20.1 20.1 20.1 20.1
Interest paid/received (10.7) (10.6) (10.6) (10.6) (10.6)
Tax paid (0.1) (0.1) (0.1) (0.1) (0.1)
Cash from acquisition of Oxbode 2.3 (0.9) (0.9) (0.9) (0.9)
Capital expenditure
House construction and purchase (29.2) (39.1) (39.1) (39.1) (39.1)
Capital grants received 4.1 9.3 9.3 9.3 9.3
Purchase of other assets (1.1) (0.7) (0.7) (0.7) (0.7)
Sale of fixed assets 1.7 1.0 1.0 1.0 1.0
Subtotal (24.5) (29.5) (29.5) (29.5) (29.5)
Cash outflow before financing (12.1) (21.0) (21.0) (21.0) (21.0)
Cash (invested in) term deposits (13.7) (2.2) (2.2) (2.2) (2.2)
Financing
Loans received 31.8 26.6 26.6 26.6 26.6
Loans repaid (1.0) (0.8) (0.8) (0.8) (0.8)
Increase in cash and cash equivalents 5.0 2.6 2.6 2.6 2.6
Note 1: Gift on acquisition when Oxbode joined the Group in November 2012.
QUESTIONS
You are asked to look at the four housing associations and choose one of them whose loca-
tion most resembles your own home area, together with another association in a contrasting
area. You are asked to address four questions for each of the two associations that you have
chosen:
1. Given the fact that the association is a charity, with risks related both to its financial and
charitable aims and any profits made being reinvested to support its charitable aims,
www.it-ebooks.info

http://www.it-ebooks.info/

140 Implementing Enterprise Risk Management
what do you assess as the biggest risks facing the association and what is your assessment
of these risks? Note that “for-profit” activities such as building houses for sale can also
contribute to an association’s aims (e.g., to provide affordable housing within its chosen
area of operation).
2. Considering the list of products in the “Background” section, how do you rate their
potential risks and returns for the association, again in relation to its charitable aims
and viability constraints and in the context of the association’s operating environment?
3. In the light of the association’s financial position and its charitable aims, how high should
be the risk appetite of the association? Is one of the generic strategies listed in the “Sector
Issues” section appropriate for the association, and if not then what should the associa-
tion’s strategy be?
4. Can you suggest product growth targets and appropriate risk limits that will enable the
association to develop safely and dynamically in the short/medium term?
The association data was drawn in 2013 from current real cases, and it may help you
to investigate the “actual” cases and their contexts.
NOTES
1. The Decent Homes Standard is a technical standard for public housing introduced by
the United Kingdom government in April 2002. It underpinned the Decent Homes Pro-
gramme brought in by the Labour party, which aimed to provide a minimum standard
of housing conditions for all those who are housed in the public sector (i.e., council hous-
ing and housing associations). The content of the standard is described in the House of
Commons Library Research Paper 03/65 “Delivering the Decent Homes Standard: Social
Landlords’ Opinions and Progress.”
2. For more detail, see www.homesandcommunities.co.uk/sites/default/files/our-work/
sector-risk-profile-120611 .
3. See section 5.3.5, “Defining Risk Criteria,” in ISO 31000:2009.
4. The quotes are from the L&Q 2013 financial statements; see www.lqgroup.org
.uk/_assets/files/LQ0363_Financial-Statements-2013_LR . For more information
about L&Q see www.lqgroup.org.uk.
5. For more information on the RCT subsidiaries, please refer to: www.rcthomes.co.uk,
www.rcthomes.co.uk/main.cfm?type=PORTHCWLIS&object_id=2745, www.bplltd.co
.uk/index.php, www.meadowprospect.co.uk/default.htm, and www.meadowprospect
.co.uk/growenterprisewales/default.htm.
6. A value-added tax (VAT) is a form of consumption tax. From the perspective of the buyer,
it is a tax on the purchase price. From that of the seller, it is a tax only on the value
added to a product, material, or service, from an accounting point of view, by this stage
of its manufacture or distribution. The manufacturer remits to the government the dif-
ference between these two amounts, and retains the rest for itself to offset the taxes it
had previously paid on the inputs, see HM Revenue & Customs: Introduction to VAT,
www.hmrc.gov.uk/vat/start/introduction.htm.
7. FRS 5 addresses the problem of what is commonly referred to as off-balance-sheet financ-
ing. One of the main aims of such arrangements is to finance a company’s assets and oper-
ations in such a way that the finance is not shown as a liability in the company’s balance
sheet. A further effect is that the assets being financed are excluded from the accounts,
with the result that both the resources of the entity and its financing are understated.
Source: Financial Reporting Council.
8. Ring-fencing occurs when a portion of a company’s assets or profits are financially sep-
arated without necessarily being operated as a separate entity. This might be for regula-
tory reasons, creating asset protection schemes with respect to financing arrangements, or
segregating into separate income streams for taxation purposes. Ring-fencing guarantees
www.it-ebooks.info

http://www.homesandcommunities.co.uk/sites/default/files/our-work/sector-risk-profile-120611

http://www.lqgroup.org.uk/_assets/files/LQ0363_Financial-Statements-2013_LR

http://www.lqgroup.org.uk

http://www.rcthomes.co.uk

http://www.rcthomes.co.uk/main.cfm?type=PORTHCWLIS&object_id=2745

http://www.bplltd.co.uk/index.php

http://www.meadowprospect.co.uk/default.htm

http://www.meadowprospect.co.uk/growenterprisewales/default.htm

http://www.hmrc.gov.uk/vat/start/introduction.htm

http://www.homesandcommunities.co.uk/sites/default/files/our-work/sector-risk-profile-120611

http://www.lqgroup.org.uk/_assets/files/LQ0363_Financial-Statements-2013_LR

http://www.bplltd.co.uk/index.php

http://www.meadowprospect.co.uk/growenterprisewales/default.htm

http://www.it-ebooks.info/

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 141
that funds allocated for a particular purpose will not be used for anything else. Source:
www.oxforddictionaries.com/definition/english/ring-fence. Note: The removal of the
Supporting People ring-fence allows local authorities to divert to other activities the
money allocated to them for this program. The result has been severe cuts in the total
Supporting People funding.
9. For GreenSquare’s financial statements, see: www.greensquaregroup.com/upload/5236
bbc772028GS and www.greensquaregroup.com/upload/50619fd12a9aaGS_report11
12 .
REFERENCES
Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading
Research and Best Practices for Tomorrow’s Executives. Hoboken, NJ: John Wiley & Sons.
Sector Risk Profile. 2012. Homes and Communities Agency, London, England.
www.homesandcommunities.co.uk/sites/default/files/our-work/sector-risk-profile-
120611 .
ABOUT THE CONTRIBUTOR
Following a mathematics degree at Cambridge University and six years’ KPMG
strategy consultancy experience, John Hargreaves took up a series of financial
positions, including periods as the Financial Controller of National Freight, a stint
running Shell’s central financial and management accounting and planning sys-
tems, and three years as the Finance Director of London Underground. Since 1991
John has specialized in risk management, initially as Corporate Finance Director
of Barclays Bank, where he was responsible for introducing risk management
systems following the previous United Kingdom depression.
In 1996 he became Managing Director of Hargreaves Risk and Strategy, which
has clients in the housing, banking, oil, and transport sectors. The consultancy
has implemented risk management systems in about 60 organizations. John is
a leading expert on the quantification of risks. He has conducted research over
a number of years on the risk profile of the UK social housing sector, initially
through study of client risk maps but also through analysis of the risks that
occurred in a sample of 41 companies. This knowledge was used in 2005 in the
design of the sector’s highly successful risk-related regulatory system.
John is also an authority on the relationship between risk management and
strategy, and for 15 years has run a course on strategic management for an MSc
program at the London School of Economics.
www.it-ebooks.info

http://www.oxforddictionaries.com/definition/english/ring-fence

http://www.greensquaregroup.com/upload/5236bbc772028GS

http://www.greensquaregroup.com/upload/50619fd12a9aaGS_report1112

http://www.homesandcommunities.co.uk/sites/default/files/our-work/sector-risk-profile-120611

http://www.homesandcommunities.co.uk/sites/default/files/our-work/sector-risk-profile-120611

http://www.greensquaregroup.com/upload/5236bbc772028GS

http://www.greensquaregroup.com/upload/50619fd12a9aaGS_report1112

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 9
Lessons from the Academy
ERM Implementation in the University Setting
ANNE E. LUNDQUIST
Western Michigan University
The tragedy at Virginia Tech, infrastructure devastation at colleges and uni-versities in the New Orleans area in the aftermath of Hurricane Katrina,the sexual abuse scandal at Penn State, the governance crisis at the Uni-
versity of Virginia, American University expense-account abuse, and other high-
profile university situations have created heightened awareness of the potentially
destructive influence of risk and crisis for higher education administrators.1 The
recent Risk Analysis Standard for Natural and Man-Made Hazards to Higher Educa-
tion Institutions (American Society of Mechanical Engineers–Innovative Technolo-
gies Institute 2010) notes that “resilience of our country’s higher education insti-
tutions has become a pressing national priority” (p. vi). Colleges and universities
are facing increased scrutiny from stakeholders regarding issues such as invest-
ments and spending, privacy, conflicts of interest, information technology (IT)
availability and security, fraud, research compliance, and transparency (Willson,
Negoi, and Bhatnagar 2010). A statement from the review committee assembled to
examine athletics controversies at Rutgers University is not unique to that situa-
tion; the committee found that “the University operated with inadequate internal
controls, insufficient inter-departmental and hierarchical communications, an
uninformed board on some specific important issues, and limited presidential
leadership” (Grasgreen 2013).
The situation at Penn State may be one of the clearest signals that risk man-
agement (or lack thereof) has entered the university environment and is here to
stay. In a statement regarding the report, Louis Freeh, chair of the independent
investigation by his law firm, Freeh Sporkin & Sullivan, LLP, into the facts and
circumstances of the actions of Pennsylvania State University, said the following:
In our investigation, we sought to clarify what occurred . . . and to examine the Uni-
versity’s policies, procedures, compliance and internal controls relating to identi-
fying and reporting sexual abuse of children. Specifically, we worked to identify
any failures or gaps in the University’s control environment, compliance programs
and culture which may have enabled these crimes against children to occur on
the Penn State campus, and go undetected and unreported for at least these past
14 years.
143
www.it-ebooks.info

http://www.it-ebooks.info/

144 Implementing Enterprise Risk Management
The chair of Penn State’s board of trustees summed it up succinctly after the
release of the Freeh Report (Freeh and Sullivan 2012) regarding the university’s
handling of the sexual abuse scandal: “We should have been risk managers in a
more active way” (Stripling 2012).
The variety, type, and volume of risks affecting higher education are numer-
ous, and the public is taking notice of how those risks are managed. Accreditation
agencies are increasingly requiring that institutions of higher education (IHEs)
demonstrate effective integrated planning and decision making, including using
information gained from comprehensive risk management as a part of the gover-
nance and management process.2 Credit rating agencies now demand evidence of
comprehensive and integrated risk management plans to ensure a positive credit
rating, including demonstration that the board of trustees is aware of, and involved
in, risk management as a part of its decision making.3 Through its Colleges and
Universities Compliance Project, the Internal Revenue Service (IRS) is considering
how to hold IHEs responsible for board oversight of risk, investment decisions,
and other risk management matters.4 The news media has a heightened focus on
financial, governance, and ethical matters at IHEs, holding them accountable for
poor decisions and thus negatively affecting IHE reputations. In response to this,
many IHEs have implemented some form of enterprise risk management (ERM)
program to help them identify and respond to risk.
THE HIGHER EDUCATION ENVIRONMENT
Colleges and universities have often perceived themselves as substantially differ-
ent and separate from other for-profit and not-for-profit entities, and the outside
world has historically viewed and treated them as such. Colleges and universities
have been viewed as ivory towers, secluded and separated from the corporate (and
thus the federal regulatory and, often, legal) world. Higher education was largely a
self-created, self-perpetuating, insular, isolated, and self-regulating environment.
In this culture, higher education institutions were generally governed under the
traditional, independent “silos of power and silence” management model, with
the right hand in one administrative area or unit often unaware of the left hand’s
mission, objectives, programs, practices, and contributions in another area.
John Nelson (2012), managing director for the Public Finance Group (Health-
care, Higher Education, Not-for-Profits) for Moody’s Investors Service, observed
that higher education culture is somewhat of a contradiction in that colleges and
universities are often perceived as “liberal,” whereas organizationally they tend
to be “conservative and inward-looking.”5 Citing recent examples at Penn State
and Harvard, he noted that colleges and universities can be “victims of their own
success”; a past positive reputation can prevent boards from asking critical ques-
tions, and senior leadership from sharing troubling information with boards, and
this can perpetuate a culture that isn’t self-reflective, thus increasing the likelihood
for a systemic risk management or compliance failure. The Freeh Report (2012)
is instructive regarding not only the Penn State situation, but the hands-off and
rubber-stamp culture of university boards and senior leaders more broadly. The
Freeh Report found that the Penn State board failed in its duty to make reason-
able inquiry and to demand action from the president, and that the president,
a senior vice president, and the general counsel did not perform their duties.
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 145
The report calls these inactions a “failure of governance,” noting that the “board
did not have regular reporting procedures or committee structure to ensure dis-
closure of major risks to the University” and that “Penn State’s ‘Tone at the Top’
for transparency, compliance, police reporting, and child protection was com-
pletely wrong, as shown by the inaction and concealment on the part of its most
senior leaders, and followed by those at the bottom of the University’s pyramid of
power.”
In his text regarding organizational structures in higher education, How Col-
leges Work, Birnbaum (1988) notes that, organizationally and culturally, colleges
and universities differ in many ways from other organizations. He attributes this
difference to several factors: the “dualistic” decision-making structure (comprised
of faculty “shared governance” and administrative hierarchy); the lack of metrics
to measure progress and assess accountability; and the lack of clarity and agree-
ment within the academic organization on institutional goals (based, in part, on
the often competing threefold mission of most academic organizations of teaching,
research, and service). Because of these organizational differences, Birnbaum notes
that the “processes, structures, and systems for accountability commonly used in
business firms are not always sensible for [colleges and universities]” (p. 27).
While noting that colleges and universities are unique organizations,
Birnbaum also observes that they have begun to adopt more general business prac-
tices, concluding that “institutions have become more administratively centralized
because of requirements to rationalize budget formats, implement procedures that
will pass judicial tests of equitable treatment, and speak with a single voice to pow-
erful external agencies” (p. 17).
This evolution to a more businesslike culture for IHEs has been evolving since
the 1960s and has brought significant societal changes while seeing the federal gov-
ernment, as well as state governments, begin to enact specific legislation affecting
colleges and universities.6 The proliferation of various laws and regulations, cou-
pled with the rise of aggressive consumerism toward the end of the 1990s, has led to
an increased risk of private legal claims against institutions of higher education—
and their administrators—as well as a proliferation of regulatory and compliance
requirements. Higher education is now generally treated like other business enter-
prises by judges, juries, and creative plaintiffs’ attorneys, as well as by administra-
tive and law enforcement agencies, federal regulators—and the public.
Mitroff, Diamond, and Alpaslan (2006) point out that despite their core edu-
cational mission, colleges and universities are really more like cities in terms of
the number and variety of services they provide and the “businesses” they are in.
They cite the University of Southern California (USC) as an example, noting that
USC operates close to 20 different businesses, including food preparation, health
care, and sporting events, and that each of these activities presents the university
with different risks. Jean Chang (2012), former ERM director at Yale University,
observed that IHEs are complicated businesses with millions of dollars at stake,
but they don’t like to think of themselves as “enterprises.”
Organizational Type Impacts Institutional Culture
While Birnbaum (1988) notes that IHEs differ in important ways from other orga-
nizational types, especially for-profit businesses, he also concludes that colleges
www.it-ebooks.info

http://www.it-ebooks.info/

146 Implementing Enterprise Risk Management
and universities differ from each other in important ways. Birnbaum outlines five
models of organizational functioning in higher education: collegial, bureaucratic,
political, anarchical, and cybernetic. In Bush’s (2011) text on educational leader-
ship, he groups educational leadership theories into six categories: formal, colle-
gial, political, subjective, ambiguity, and cultural. In their discussion of organiza-
tional structure, Bolman and Deal (2008) provide yet another method for analysis
of organizational culture, identifying four distinctive “frames” from which people
view their world and that provide a lens for understanding organizational culture:
structural, human resources, political, and symbolic.
Each of these models can provide a conceptual framework by which to under-
stand and evaluate the culture of a college or university. Understanding the orga-
nizational type of a particular institution is imperative when considering issues
such as the process by which goals are determined, the nature of the decision-
making process, and the appropriate style of leadership to accomplish goals and
implement initiatives. What works in one university organizational type may not
be effective in another. The leadership style of senior administration may be oper-
ating from one frame or model while the culture of the faculty may be operating
from another, thus affecting policy and practice in positive or negative ways.
While not true across the board, for-profit organizations tend to operate from
what Bush as well as Bolman and Deal refer to as the formal or structural models
and Birnbaum terms bureaucratic. The structural frame represents a belief in ratio-
nality. Some assumptions of the structural frame are that “suitable forms of coordi-
nation and control ensure that diverse efforts of individuals and units mesh” and
that “organizations work best when rationality prevails over personal agendas”
(Bolman and Deal 2008, p. 47). Understanding this cultural and framing difference
is important when considering the adoption and implementation of ERM in the
university environment, and can help to explain why many university administra-
tors and faculty are skeptical of the more corporate approach often taken in ERM
implementation outside of higher education.
Bush observes that the collegial model has been adopted by most universities
and is evidenced, in part, by the extensive committee system. Collegial institu-
tions have an “emphasis on consensus, shared power, common commitments and
aspirations, and leadership that emphasizes consultation and collective responsi-
bilities” (Birnbaum, p. 86). Collegial models assume that professionals also have a
right to share in the wider decision-making process (Bush 2011, p. 73). Bush points
out that collegial models assume that members of an organization agree on orga-
nizational goals, but that often various members within the institution have differ-
ent ideas about the central purposes of the institution because most colleges and
universities have vague, ambiguous goals. Birnbaum describes the collegium (or
university environment) as having the following characteristics:
The right to participate in institutional affairs, membership in a congenial and sym-
pathetic company of scholars in which friendships, good conversation, and mutual
aid flourish, and the equal worth of knowledge in various fields that precludes
preferential treatment of faculty in different disciplines. (p. 87)
ERM (or risk management and compliance initiatives in general) tend to be
viewed as more corporate functions and to align with formal, structural, and
bureaucratic aims, goal setting, planning, and decision making. The chart in
Exhibit 9.1 outlines management practices and how they are viewed from the
www.it-ebooks.info

http://www.it-ebooks.info/

E
xh
ib
it
9.
1
D
is
ti
nc
ti
on
s
be
tw
ee
n
St
ru
ct
ur
al
an
d
C
ol
le
gi
al
E
le
m
en
ts
of
M
an
ag
em
en
t∗
E
le
m
en
ts
of
M
an
ag
em
en
t
Fo
rm
al
/S
tr
u
ct
u
ra
l
C
ol
le
gi
al
/H
u
m
an
R
es
ou
rc
es
B
ol
m
an
an
d
D
ea
l
B
us
h
In
st
it
ut
io
na
l
B
ir
nb
au
m
In
st
it
ut
io
na
l
B
ol
m
an
an
d
D
ea
l
B
us
h
B
ir
nb
au
m
L
ev
el
at
w
hi
ch
go
al
s
ar
e
d
et
er
m
in
ed
In
st
it
ut
io
na
l
In
st
it
ut
io
na
lt
hr
ou
gh
ag
re
em
en
ta
nd
co
ns
en
su
s
Pr
oc
es
s
by
w
hi
ch
go
al
s
ar
e
d
et
er
m
in
ed
V
er
ti
ca
la
nd
la
te
ra
l
pr
oc
es
se
s
Se
tb
y
le
ad
er
s
B
as
ed
on
or
ga
ni
za
ti
on
al
st
ru
ct
ur
e
an
d
ro
le
s
A
gr
ee
m
en
t
A
gr
ee
m
en
t
C
on
se
ns
us
R
el
at
io
ns
hi
p
be
tw
ee
n
go
al
s
an
d
d
ec
is
io
ns
O
rg
an
iz
at
io
ns
ex
is
tt
o
ac
hi
ev
e
es
ta
bl
is
he
d
go
al
s
D
ec
is
io
ns
ba
se
d
on
go
al
s
C
on
sc
io
us
at
te
m
pt
to
lin
k
m
ea
ns
to
en
d
s
an
d
re
so
ur
ce
s
to
ob
je
ct
iv
es
Sh
ar
ed
se
ns
e
of
d
ir
ec
ti
on
an
d
co
m
m
it
m
en
t
D
ec
is
io
ns
ba
se
d
on
go
al
s
St
ro
ng
an
d
co
he
re
nt
cu
lt
ur
e
an
d
va
lu
e
co
ns
en
su
s
in
fo
rm
s
d
ec
is
io
ns
N
at
ur
e
of
th
e
d
ec
is
io
n
pr
oc
es
s
R
at
io
na
l;
ru
le
s,
po
lic
ie
s,
an
d
st
an
d
ar
d
op
er
at
in
g
pr
oc
ed
ur
es
R
at
io
na
l
R
at
io
na
l;
co
m
pl
ia
nc
e
w
it
h
ru
le
s
an
d
re
gu
la
ti
on
s
E
ga
lit
ar
ia
ni
sm
;
te
am
s
C
ol
le
gi
al
D
el
ib
er
at
iv
e
co
ns
en
su
s
N
at
ur
e
of
st
ru
ct
ur
e
O
rg
an
iz
at
io
ns
in
cr
ea
se
ef
fi
ci
en
cy
an
d
en
ha
nc
e
pe
rf
or
m
an
ce
th
ro
ug
h
sp
ec
ia
liz
at
io
n
an
d
d
iv
is
io
n
of
la
bo
r
O
bj
ec
ti
ve
re
al
it
y;
hi
er
ar
ch
ic
al
D
es
ig
ne
d
to
ac
co
m
pl
is
h
la
rg
e-
sc
al
e
ta
sk
s
by
sy
st
em
at
ic
al
ly
co
or
d
in
at
in
g
th
e
w
or
k
of
m
an
y
in
d
iv
id
ua
ls
O
rg
an
iz
at
io
ns
ex
is
t
to
se
rv
e
hu
m
an
ne
ed
s;
m
us
tb
e
a
go
od
fi
tb
et
w
ee
n
or
ga
ni
za
ti
on
an
d
pe
op
le
L
at
er
al
C
ol
le
gi
um
St
yl
e
of
le
ad
er
sh
ip
E
st
ab
lis
he
d
au
th
or
it
y
L
ea
d
er
es
ta
bl
is
he
s
go
al
s
an
d
in
it
ia
te
s
po
lic
y
L
ea
d
er
is
co
nc
er
ne
d
w
it
h
pl
an
ni
ng
,
d
ir
ec
ti
ng
,
or
ga
ni
za
ti
on
,
st
af
fi
ng
,a
nd
ev
al
ua
ti
ng
D
oe
sn
’t
co
nt
ro
lo
r
ov
er
ly
st
ru
ct
ur
e;
se
ns
it
iv
e
to
bo
th
ta
sk
an
d
pr
oc
es
s;
us
e
of
te
am
s
L
ea
d
er
se
ek
s
to
pr
om
ot
e
co
ns
en
su
s
L
ea
d
er
is
“f
ir
st
am
on
g
eq
ua
ls
,”
co
ns
ul
ta
ti
on
an
d
co
lle
ct
iv
e
re
sp
on
si
bi
lit
ie
s
∗ A
d
ap
te
d
fr
om
B
us
h
(2
01
1)
,1
99
(F
ig
ur
e
9.
1)
.
147
www.it-ebooks.info

http://www.it-ebooks.info/

148 Implementing Enterprise Risk Management
formal/structural and collegial/human resources models. As will become clear
in the University of Washington ERM implementation case described in this chap-
ter, the culture of higher education in general, and the institution-specific culture
of the particular organization, cannot be ignored when adopting or implementing
an ERM program, and may be the most important element when making ERM
program, framework, and philosophy decisions.
Risks Affecting Higher Education
One way in which colleges and universities are becoming more like other organi-
zations is the type and variety of risks affecting them. Risk and crisis in higher edu-
cation may arise from a variety of sources: a failure of governance or leadership;
a business or consortium relationship; an act of nature; a crisis related to student
safety or welfare or that of other members of the community; a violation of federal,
state, or local law; or a myriad of other factors. The University Risk Management
and Insurance Association (URMIA 2007) cites several drivers that put increased
pressure and risk on colleges and universities, including competition for faculty,
students, and staff; increased accountability; external scrutiny from the govern-
ment, the public, and governing boards; IT changes; competition in the market-
place; and increased levels of litigation. A comprehensive, yet not exhaustive, list
of risks affecting higher education is outlined in Exhibit 9.2. Risks unmitigated at
the unit, department, or college level can quickly lead to high-profile institutional
risk when attorneys, the media, and the public get involved. Helsloot and Jong
(2006) observe that higher education has a unique risk as it relates to the genera-
tion and sharing of its core task: “to gather, develop, and disseminate knowledge”
(p. 154), noting that the “balance between the unfettered transfer of knowledge, on
the one hand, and security, on the other, is a precarious one” (p. 155).
EMERGENCE OF ERM IN HIGHER EDUCATION
In the corporate sector, interest in the integrated and more strategic concept of
enterprise risk management (ERM) has grown significantly in the past 15 years
(Arena, Arnaboldi, and Azzone 2010). Certain external factors affected the adop-
tion and implementation of ERM practices in corporations, including significant
business failures in the late 1980s that occurred as a result of high-risk financing
strategies (URMIA 2007). Governments in several European countries took actions
and imposed regulatory requirements regarding risk management earlier than was
done in the United States, issuing new codes of practice and regulations such as the
Cadbury Code (1992), the Hampel Report (1998), and the Turnbull Report (1999). In
2002, the Public Company Accounting Reform and Investor Protection Act (other-
wise known as Sarbanes-Oxley, or SOX) was enacted in the United States. In 2007,
the Securities and Exchange Commission (SEC) issued guidance placing greater
emphasis on risk assessment and began to develop requirements for enterprise-
wide evaluation of risk. In February 2010, the SEC imposed regulations requiring
for-profit corporations to report in depth on how their organizations identify risk,
set risk tolerances, and manage risk/reward trade-offs throughout the enterprise.
While widespread in the corporate sector, in large part due to regulatory com-
pliance, ERM is fairly new in higher education. Gurevitz (2009) observes that
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 149
Exhibit 9.2 Risks Affecting Higher Education
Institutional Area Types of Risk
Boards of Trustees and
Regents, President,
Senior Administrators
Accreditation
Board performance assessment
CEO assessment and compensation
Conflict of interest
Executive succession plan
Fiduciary responsibilities
IRS and state law requirements
Risk management role and responsibility
Business and Financial
Affairs
Articulation agreements
Bonds
Budgets
Business ventures
Cash management
Capital campaign
Contracting and purchasing
Credit rating
Debt load/ratio
Endowment
Federal financial aid
Fraud
Gift/naming policies
Insurance
Investments
Loans
Outsourcing
Transportation and travel
Recruitment and admissions model
Compliance with
Federal, State, and
Local Laws, Statutes,
Regulations, and
Ordinances
Americans with Disabilities Act (ADA)/Section 504
Copyright and fair use
Drug-Free Schools and Communities Act
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act of
1996 (HIPAA)
Higher Education Opportunity Act IRS regulations
Integrated Postsecondary Education Data System (IPEDS)
Jeanne Clery Disclosure of Campus Security Policy and
Campus Crime Statistics Act (Clery Act)
National Collegiate Athletic Association
(NCAA)/National Association of Intercollegiate
Athletics (NAIA) regulations
Record retention and disposal
Tax codes
Whistle-blower policies
Campus Safety and
Security
Emergency alert systems for natural disaster or other
threat
Emergency planning and procedures
Incident response
(continued)
www.it-ebooks.info

http://www.it-ebooks.info/

150 Implementing Enterprise Risk Management
Exhibit 9.2 (Continued)
Institutional Area Types of Risk
Campus Safety and
Security (continued)
Infectious diseases
Interaction with local, state, and federal authorities
Minors on campus
Terrorism
Theft
Violence on campus
Weapons on campus
Weather
Information Technology Business continuity
Cyber liability
Electronic records
Information security
Network integrity
New technologies
Privacy
System capacity
Web page accuracy
Academic Affairs Academic freedom
Competition for faculty
Faculty governance issues
Grade tampering
Grants
Human subject, animal, and clinical research
Intellectual property
Internship programs
Joint programs/partnerships
Laboratory safety
Online learning
Plagiarism
Quality of academic programs
Student records
Study abroad
Tenure
Student Affairs Admission/retention
Alcohol and drug use
Clubs and organizations
Conduct and disciplinary system
Dismissal procedures
Diversity issues
Fraternities and sororities
Hate crimes
Hazing
International student issues
Psychological disabilities issues
Sexual assault
Student death
Student protest
Suicide
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 151
Exhibit 9.2 (Continued)
Institutional Area Types of Risk
Employment/Human
Resources
Affirmative action
Background checks
Discrimination lawsuits
Employment contracts
Grievances
Labor laws
Performance evaluation
Personnel matters
Sexual harassment
Termination procedures
Unions
Workplace safety
Physical Plant Building and renovation
Fire
Infrastructure damage
Off-site programs
Public-private partnerships
Residence hall and apartment safety
Theft
Other Alumni
Athletics
External relations
Increased competition for students, faculty, and staff
Increased external scrutiny from the public, government,
and media
Medical schools, law schools
Vendors
educational institutions “have been slower to look at ERM as an integrated busi-
ness tool, as a way to help all the stakeholders—trustees, presidents, provosts,
CFOs, department heads, and frontline supervisors—identify early warning signs
of something that could jeopardize a school’s operations or reputation.” In 2000,
the Higher Education Funding Council of England enacted legislation requir-
ing all universities in England to implement risk management as a governance
tool (Huber 2009). In Australia, the Tertiary Education Quality Standards Agency
(TEQSA 2013) evaluates the performance of higher education providers against a
set of threshold standards and makes decisions in relation to their performance
in line with three regulatory principles, including understanding an institution’s
level of risk.
In the United States, engaging in risk management efforts and programs for
IHEs is not specifically required by accrediting agencies or the federal govern-
ment. Perhaps because it is not required, ERM has not been a top focus for boards
and senior administrators at IHEs. Tufano (2011) points out that risk management
in the nonprofit realm, including higher education, is significantly less developed
than in much of the corporate world and often still has a focus on avoidance of
loss rather than setting strategic direction. Mitroff, Diamond, and Alpaslan’s (2006)
www.it-ebooks.info

http://www.it-ebooks.info/

152 Implementing Enterprise Risk Management
survey assessing the state of crisis management in higher education revealed that
colleges and universities were generally well prepared for certain crises, particu-
larly fires, lawsuits, and crimes, in part because certain regulations impose require-
ments. They were also well prepared for infrequently experienced but high-profile
situations such as athletics scandals, perhaps based on their recent prominence in
the media. However, they were least prepared for certain types of crises that were
frequently experienced such as reputation and ethics issues, as well as other non-
physical crises such as data loss and sabotage.7 A survey conducted by the Asso-
ciation of Governing Boards of Universities and Colleges and United Educators
(2009) found that, of 600 institutions completing the survey, less than half of the
respondents “mostly agreed” that risk management was a priority at their insti-
tution. Sixty percent stated that their institutions did not use a comprehensive,
strategic risk assessment to identify major risks to mission success. Recent high-
profile examples may be beginning to change that. The Freeh Report regarding
Penn State determined that “the university’s lack of a robust risk-management sys-
tem contributed to systemic failures in identifying threats to individuals and the
university and created an environment where key administrators could ‘actively
conceal’ troubling allegations from the board” (Stripling 2012).
ADOPTING AND IMPLEMENTING ERM IN
COLLEGES AND UNIVERSITIES
In 2001, PricewaterhouseCoopers and the National Association of College and
University Business Officers (NACUBO) sponsored a think tank of higher educa-
tion leaders to discuss the topic of ERM in higher education, likely in response to
widespread discussion in the for-profit sector and in anticipation of potential reg-
ulatory implications for higher education. The group included Janice Abraham,
then president and chief executive officer of United Educators Insurance, as well
as senior administrators from seven universities.8 The focus of their discussion
was on the definition of risk; the risk drivers in higher education; implementa-
tion of risk management programs to effectively assess, manage, and monitor risk;
and how to proactively engage the campus community in a more informed dia-
logue regarding ERM. Their conversation produced a white paper, “Developing
a Strategy to Manage Enterprisewide Risk in Higher Education” (Cassidy et al.
2001). In 2007, NACUBO and the Association of Governing Boards of Universities
and Colleges (AGB) published additional guidance in their white paper, “Meeting
the Challenges of Enterprise Risk Management in Higher Education.” The Uni-
versity Risk Management and Insurance Association (URMIA) also weighed in
with its white paper, “ERM in Higher Education” (2007). In 2013, Janice Abraham
wrote a text published by AGB and United Educators, entitled Risk Management:
An Accountability Guide for University and College Boards. These documents provide
guidance and information to institutions considering the implementation of an
ERM program and discuss the unique aspects of the higher education environment
when considering ERM implementation.
Several authors have discussed the transferability of the ERM model to higher
education, even with the cultural and organizational differences that abound
between the for-profit environment and higher education. URMIA (2007) con-
cluded that “the ERM process is directly applicable to institutions of higher
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 153
education, just as it is to any other ‘enterprise’; there is nothing so unique to the col-
lege or university setting as to make ERM irrelevant or impossible to implement”
(p. 17). Whitfield (2003) assessed the “feasibility and transferability of a general
framework to guide the holistic consideration of risk as a critical component of
college and university strategic planning initiatives” (p. 78) and concluded that
“the for-profit corporate sector’s enterprise-wide risk management framework is
transferable to higher education institutions” (p. 79).
National conferences for higher education associations such as NACUBO,
AGB, URMIA, and others had presentations on ERM. Insurers of higher educa-
tion, such as United Educators and Aon, as well as consultants such as Accenture
and Deloitte, among others, provided workshops to institutions and published
white papers of their own, such as the Gallagher Group’s “Road to Implemen-
tation: Enterprise Risk Management for Colleges and Universities” (2009). In the
early 2000s, many IHEs rushed to form committees to examine ERM and hired risk
officers in senior-level positions, following the for-profit model.9 However, when
specific regulations such as those imposed by the SEC for for-profit entities did not
emerge in the higher education sector, interest in highly developed ERM models at
colleges and universities began to wane. Gurevitz (2009) points out that the early
ERM frameworks weren’t written with higher education in mind and were often
presented “in such a complicated format that it made it difficult to translate the
concepts for many universities.”
Institutions with ERM programs have taken various paths in their selection
of models and methods and have been innovative and individualized in their
approaches. There is no comprehensive list of higher education institutions with
ERM programs, and not all IHEs with integrated models use the term ERM.
Exhibit 9.3 shows a snapshot of IHEs that have adopted ERM; a review of their
websites demonstrates the various risk management approaches adopted by IHEs
and the wide variability in terminology, reporting lines, structure, and focus. In
many instances, those IHEs with highly developed programs today had some form
of “sentinel event” (regulatory, compliance, student safety, financial, or other)
that triggered the need for widespread investigation and, therefore, the develop-
ment of more coordinated methods for compliance, information sharing, and deci-
sion making. In other situations, governing board members brought their business
experience with ERM to higher education, recognizing the “applicability and rel-
evance of using a holistic approach to risk management in academic institutions”
(Abraham 2013, p. 6).
Regardless of the impetus, the current focus appears to be on effectively link-
ing risk management to strategic planning. Abraham points out that many higher
education institutions are recognizing that an effective ERM program, with the
full support of the governing board, “will increase a college, university or system’s
likelihood of achieving its plans, increase transparency, and allow better allocation
of scarce resources. Good risk management is good governance” (p. 5). Ken Barnds
(2011), vice president at Augustana College, points out that “many strategic plan-
ning processes, particularly in higher education, spent an insufficient amount of
time thinking about threats and weaknesses.” Barnds believes that “an honest and
thoughtful assessment of the college’s risks . . . would lead [Augustana] in a pos-
itive, engaged, and proactive direction.” A recent Grant Thornton (2011) thought
paper urges university leaders to think about more strategic issues as part of their
risk management, including board governance, IRS scrutiny of board oversight
www.it-ebooks.info

http://www.it-ebooks.info/

E
xh
ib
it
9.
3
Sa
m
pl
e
of
C
ol
le
ge
s
an
d
U
ni
ve
rs
it
ie
s
w
it
h
E
R
M
Pr
og
ra
m
s
In
st
it
u
ti
on
T
it
le
of
P
er
so
n
w
it
h
E
R
M
R
es
p
on
si
b
il
it
y
W
eb
si
te
D
uk
e
U
ni
ve
rs
it
y
E
xe
cu
ti
ve
D
ir
ec
to
r
of
In
te
rn
al
A
ud
it
ht
tp
:/
/
in
te
rn
al
au
d
it
s.
d
uk
e.
ed
u/
ri
sk
-a
ss
es
sm
en
t/
in
d
ex
.p
hp
E
m
or
y
U
ni
ve
rs
it
y
C
hi
ef
A
ud
it
O
ff
ic
er
w
w
w
.e
m
or
y.
ed
u/
E
M
O
R
Y
_R
E
PO
R
T
/
st
or
ie
s/
20
10
/
04
/
19
/
ri
sk
_
m
an
ag
em
en
t.h
tm
l
G
eo
rg
ia
St
at
e
U
ni
ve
rs
it
y
D
ir
ec
to
r,
E
nt
er
pr
is
e
R
is
k
M
an
ag
em
en
t
w
w
w
.g
su
.e
d
u/
ac
co
un
ti
ng
/
63
37
0.
ht
m
l
Io
w
a
St
at
e
U
ni
ve
rs
it
y
A
ss
oc
ia
te
V
ic
e
Pr
es
id
en
tf
or
B
ud
ge
ta
nd
Pl
an
ni
ng
w
w
w
.p
ro
vo
st
.ia
st
at
e.
ed
u/
w
ha
t-
w
e-
d
o/
er
m
Jo
hn
so
n
&
W
al
es
D
ir
ec
to
r
of
C
om
pl
ia
nc
e,
In
te
rn
al
A
ud
it
,a
nd
R
is
k
M
an
ag
em
en
t
w
w
w
.jw
u.
ed
u/
co
nt
en
t.a
sp
x?
id
=
57
82
5
M
ar
ic
op
a
C
ou
nt
y
C
om
m
un
it
y
C
ol
le
ge
D
is
tr
ic
t(
M
C
C
C
D
)
D
ir
ec
to
r
of
E
nt
er
pr
is
e
R
is
k
M
an
ag
em
en
t
w
w
w
.m
ar
ic
op
a.
ed
u/
pu
bl
ic
st
ew
ar
d
sh
ip
/
go
ve
rn
an
ce
/
ad
m
in
re
gs
/
au
xi
lia
ry
/
4_
16
.p
hp
O
hi
o
U
ni
ve
rs
it
y
A
ss
oc
ia
te
V
ic
e
Pr
es
id
en
tf
or
R
is
k
M
an
ag
em
en
ta
nd
Sa
fe
ty
w
w
w
.o
hi
o.
ed
u/
ri
sk
an
d
sa
fe
ty
/
ur
m
i.h
tm
T
ex
as
A
&
M
U
ni
ve
rs
it
y
Sy
st
em
O
ff
ic
e
of
R
is
k
M
an
ag
em
en
ta
nd
B
en
ef
it
s
A
d
m
in
is
tr
at
io
n
w
w
w
.ta
m
us
.e
d
u/
of
fi
ce
s/
ri
sk
/
ri
sk
m
an
ag
e/
gu
id
e/
en
te
rp
ri
se
-r
is
k-
m
an
ag
em
en
t/
U
ni
ve
rs
it
y
of
A
la
sk
a
Sy
st
em
C
hi
ef
R
is
k
O
ff
ic
er
w
w
w
.a
la
sk
a.
ed
u/
ri
sk
sa
fe
ty
/
U
ni
ve
rs
it
y
of
C
al
if
or
ni
a
R
is
k
Se
rv
ic
es
,O
ff
ic
e
of
th
e
Pr
es
id
en
t
w
w
w
.u
co
p.
ed
u/
en
te
rp
ri
se
-r
is
k-
m
an
ag
em
en
t/
U
ni
ve
rs
it
y
of
D
en
ve
r
D
ir
ec
to
r
of
E
nt
er
pr
is
e
R
is
k
M
an
ag
em
en
t
w
w
w
.d
u.
ed
u/
in
te
rn
al
-a
ud
it
/
in
te
rn
al
_a
ud
it
/
fa
q.
ht
m
l
U
ni
ve
rs
it
y
of
Io
w
a
Se
ni
or
V
ic
e
Pr
es
id
en
to
fF
in
an
ce
an
d
O
pe
ra
ti
on
s
an
d
T
re
as
ur
er
w
w
w
.u
io
w
a.
ed
u/

fu
sr
m
/
E
nt
er
pr
is
eR
is
kM
an
ag
em
en
t/
in
d
ex
.h
tm
l
U
ni
ve
rs
it
y
of
M
ar
yl
an
d
V
ic
e
Pr
es
id
en
tf
or
Pl
an
ni
ng
an
d
A
cc
ou
nt
ab
ili
ty
w
w
w
.u
m
ar
yl
an
d
.e
d
u/
ac
co
un
ta
bi
lit
y-
ol
d
/
ri
sk
-m
an
ag
em
en
t/
U
ni
ve
rs
it
y
of
N
ot
re
D
am
e
D
ir
ec
to
r
of
R
is
k
M
an
ag
em
en
ta
nd
Sa
fe
ty
ht
tp
:/
/
ri
sk
m
an
ag
em
en
t.n
d
.e
d
u/
ab
ou
t/
U
ni
ve
rs
it
y
of
V
er
m
on
t
Se
ni
or
St
ra
te
gi
st
fo
r
E
nt
er
pr
is
e
R
is
k
an
d
Pl
an
ni
ng
,O
ff
ic
e
of
th
e
V
ic
e
Pr
es
id
en
tf
or
Fi
na
nc
e
&
A
d
m
in
is
tr
at
io
n
w
w
w
.u
vm
.e
d
u/
∼ e
rm
/
U
ni
ve
rs
it
y
of
M
ar
yl
an
d
V
ic
e
Pr
es
id
en
tf
or
Pl
an
ni
ng
an
d
A
cc
ou
nt
ab
ili
ty
w
w
w
.u
m
ar
yl
an
d
.e
d
u/
ac
co
un
ta
bi
lit
y-
ol
d
/
ri
sk
-m
an
ag
em
en
t/
U
ni
ve
rs
it
y
of
W
as
hi
ng
to
n
R
is
k
A
na
ly
st
ht
tp
:/
/
f2
.w
as
hi
ng
to
n.
ed
u/
fm
/
er
m
Y
al
e
U
ni
ve
rs
it
y
D
ir
ec
to
r
of
E
R
M
ht
tp
:/
/
og
c.
ya
le
.e
d
u/
ri
sk
m
an
ag
em
en
t
154
www.it-ebooks.info

http://internalaudits.duke.edu/risk-assessment/index.php

http://internalaudits.duke.edu/risk-assessment/index.php

http://www.emory.edu/EMORY_REPORT/stories/2010/04/19/risk_management.html

http://www.emory.edu/EMORY_REPORT/stories/2010/04/19/risk_management.html

www.gsu.edu/accounting/63370.html

http://www.gsu.edu/accounting/63370.html

www.provost.iastate.edu/what-we-do/erm

http://www.provost.iastate.edu/what-we-do/erm

www.jwu.edu/content.aspx?id$=$57825

http://www.jwu.edu/content.aspx?id$=$57825

http://www.maricopa.edu/publicstewardship/governance/adminregs/auxiliary/4_16.php

http://www.maricopa.edu/publicstewardship/governance/adminregs/auxiliary/4_16.php

www.ohio.edu/riskandsafety/urmi.htm

http://www.ohio.edu/riskandsafety/urmi.htm

www.tamus.edu/offices/risk/riskmanage/guide/enterprise-risk-management/

www.tamus.edu/offices/risk/riskmanage/guide/enterprise-risk-management/

http://www.tamus.edu/offices/risk/riskmanage/guide/enterprise-risk-management/

http://www.tamus.edu/offices/risk/riskmanage/guide/enterprise-risk-management/

www.alaska.edu/risksafety/

http://www.alaska.edu/risksafety/

www.ucop.edu/enterprise-risk-management/

http://www.ucop.edu/enterprise-risk-management/

www.du.edu/internal-audit/internal_audit/faq.html

http://www.du.edu/internal-audit/internal_audit/faq.html

www.uiowa.edu/~fusrm/EnterpriseRiskManagement/index.html

http://www.uiowa.edu/~fusrm/EnterpriseRiskManagement/index.html

www.umaryland.edu/accountability-old/risk-management/

www.umaryland.edu/accountability-old/risk-management/

http://riskmanagement.nd.edu/about/

http://riskmanagement.nd.edu/about/

www.uvm.edu/~erm/

http://www.uvm.edu/~erm/

www.umaryland.edu/accountability-old/risk-management/

www.umaryland.edu/accountability-old/risk-management/

http://f2.washington.edu/fm/erm

http://f2.washington.edu/fm/erm

http://ogc.yale.edu/riskmanagement

http://ogc.yale.edu/riskmanagement

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 155
practices, investment performance in university endowments, indirect cost rates
in research, changes in employment practices, and outsourcing arrangements.
Regardless of terminology, there is an increased priority on taking a more
enterprise-wide approach to risk management and moving from a compliance-
driven approach to a comprehensive, strategic approach across and throughout
the organization that is used to positively affect decision making and impact mis-
sion success and the achievement of strategic goals. Tufano (2011) points out
that even in the corporate environment, top leaders are not inclined to work
through a detailed step-by-step risk management process, but rather take a top-
level approach. In the university environment, this means asking three fundamen-
tal questions: What is our mission? What is our strategy to achieve it? What risks
might derail us from achieving our mission? Richard F. Wilson, president of Illinois
Wesleyan University, may best summarize the current perspective of senior-level
higher education administrators:
When I first started seeing the phrase “enterprise risk management” pop up in
higher education literature, my reaction was one of skepticism. It seemed to me yet
another idea of limited value that someone had created a label for, to make it seem
more important than it really was. Although some of that skepticism remains, I find
myself increasingly in sympathy with some of its basic tenets . . . [especially] the
analysis that goes into decisions about the future. Most institutions are currently
engaged in some kind of strategic planning effort driven, in part, by the need to
protect their financial viability and vitality for the foreseeable future. . . . Bad plans
and bad execution of good ideas can put an institution at risk fairly quickly in the
current environment. Besides examining what we hope will happen if a particular
plan is adopted, we should also devote time to the consequences if the plan does
not work. I still cannot quite get comfortable incorporating enterprise risk man-
agement into my daily vocabulary, but I have embraced the underlying principles.
(Wilson 2013)
THE UNIVERSITY OF WASHINGTON: A JOURNEY
OF DISCOVERY
The University of Washington (UW) has a robust enterprise risk management
(ERM) program that is moving into its seventh year. The program began with
what administrators10 at UW call a “sentinel event,” settling a Medicare and
Medicaid overbilling investigation by paying the largest fine by a university for a
compliance failure—$35 million. This led the new president, Mark Emmert, to for-
mally charge senior administrators in 2005 with the task of identifying best prac-
tices for “managing regulatory affairs at the institutional level by using efficient
and effective management techniques” (UW ERM Annual Report 2008, p. 4). At
the outset in 2006, the objective for UW was to “create an excellent compliance
model built on best practices, while protecting its decentralized, collaborative, and
entrepreneurial culture” (Collaborative ERM Report 2006, p. vi). The ERM pro-
cess at UW has been what Ann Anderson, associate vice president and controller,
terms “a journey of discovery.” ERM has developed and evolved at UW, mov-
ing from what UW administrators describe as an early compliance phase, through
www.it-ebooks.info

http://www.it-ebooks.info/

156 Implementing Enterprise Risk Management
a governance phase to a mega-risk phase. Currently, the University of Washing-
ton is focused on two objectives: (1) strengthening oversight of top risks, and (2)
enhancing coordination and integration of ERM activities with decision-making
processes at the university. This case study will describe the decision-making and
implementation process at UW, as well as outline various tools and frameworks
that UW adopted and adapted for use not only in the higher education setting in
general, but to fit specifically within the university’s decentralized culture.
Institutional Profile
Founded in 1861, the University of Washington is a public university enrolling
some 48,000 students and awarding approximately 10,000 degrees annually (see
Exhibit 9.4). The institution also serves approximately 47,000 extension students.
There are nearly 650 student athletes in UW’s 21 Division I men’s and women’s
teams. There is a faculty/staff of over 40,000, making UW the third-largest
employer in the state of Washington. The university is comprised of three cam-
puses with 17 major schools and colleges and 13 registered operations abroad. It
has a $5.3 billion annual budget, with $1.3 billion in externally funded research and
$2.6 billion in clinical medical enterprise. UW has been the top public university
in federal research funding every year since 1974 and has been among the top five
universities, public and private, in federal funding since 1969. The university has
an annual $9.0 billion economic impact on the state of Washington.
Culture at UW
When appointed to serve on the President’s Advisory Committee on ERM
(PACERM) in 2007, Professor Daniel Luchtel commented, in the context of talking
about risk assessments, that “the number of issues and their complexity is stun-
ning. The analogy that comes to mind is trying to get a drink of water from a fire
hose” (2007 ERM Annual Report, p. 4). As with most higher education institutions,
especially research universities, along with the core business of the teaching and
learning of undergraduate and graduate students, the faculty are focused on the
creation of new knowledge. “The University of Washington is a decentralized yet
collaborative entity with an energetic, entrepreneurial culture. The community
members are committed to rigor, integrity, innovation, collegiality, inclusiveness,
and connectedness” (Collaborative Enterprise Risk Management Final Report
2006, p. v).
Faculty innovation and the idea of compliance don’t always go hand in hand
in higher education, and UW is no exception. Research associate professor David
Lovell, vice-chair of the Faculty Senate in 2007–2008, expresses it well:
“Compliance” [is] not necessarily a good word for faculty members. . . . What lies
behind [that] is the high value faculty accord to personal autonomy. . . . The notion
of a culture of compliance sounds like yet another extension of impersonal, corpo-
rate control, shrinking the arena of self-expression in favor of discipline and con-
formity. . . . Over the last ten months, I’ve come to understand that you’re not here
to get in our way, but to make it possible for us faculty legally to conduct the work
we came here to do. . . . I hope that working together, we can try to spread such
understanding further, so that we can make compliance—or whatever term you
choose—less threatening to faculty and frustrating to staff. (Annual ERM Report
2008, pp. 6–7)
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 157
26.3% ASIAN AMERICANS
UNDERGRADUATE
32,291
48,022 students were enrolled at the UW in the fall of 2009
STUDENTS
GRADUATE
11,592
PROFESSIONAL
1,907
11% ASIAN AMERICANS
11.7% UNDERREPRESENTED MINORITIES
8.3% UNDERREPRESENTED MINORITIES
5.2% INTERNATIONAL STUDENTS
13.6% INTERNATIONAL STUDENTS
19.2% ASIAN AMERICANS
7.4% UNDERREPRESENTED MINORITIESWOMEN
55.8%
WOMEN
54%
WOMEN
52.4%
MEN
47.6%
MEN
46%
MEN
44.2%
1.6% INTERNATIONAL STUDENTS
GATES CAMBRIDGE
SCHOLARS
4MARSHALL
SCHOLARS
7RHODES
SCHOLARS
SCHOLARS
46
35
Exhibit 9.4 University of Washington Student Profile
From University of Washington Fact Book: http://opb.washington.edu/content/factbook.
Organizationally, the institution is divided into silos, which has historically
focused risk mitigation within those silos.
Implementation History at UW
On April 22, 2005, President Mark Emmert sent an e-mail to the deans and cabinet
members in which he said: “With the most recent example of compliance issues, we
have again been reminded that we have not yet created the culture of compliance
that we have discussed on many occasions.” He went on to say that “the creation
of a culture of compliance needs to be driven by our core values and commitment
to doing things the right way, to being the best at all we do. . . . We need to know
www.it-ebooks.info

http://opb.washington.edu/content/factbook

http://opb.washington.edu/content/factbook

http://www.it-ebooks.info/

158 Implementing Enterprise Risk Management
that the manner in which we manage regulatory affairs is consistent with the best
practices in existence.”
The Sentinel Event: Largest Fine at a Medical School
The Collaborative Enterprise Risk Management Report for the University of Wash-
ington (2006) began with the following: “Over the past few years, the UW has
been confronted by a series of problems with institution-wide implications, includ-
ing research compliance, financial stewardship, privacy matters, and protection of
vulnerable populations” (p. v). The situation with the highest impact on the uni-
versity began when Mark Erickson, a UW compliance officer, filed a complaint
alleging fraud in the UW’s Medicare and Medicaid billing practices. The 1999 com-
plaint prompted a criminal investigation, guilty pleas from two doctors, and a
civil lawsuit resulting in the $35 million settlement, the largest settlement made
by an academic medical center in the nation. The federal prosecutor claimed that
“many people within the medical centers were aware of the billing problems”
and that “despite this knowledge, the centers did not take adequate steps to cor-
rect them” (Chan 2004). UW’s 2006 ERM Annual Report acknowledges that, in
addition to the direct cost of the fines, there were also indirect costs in terms of
additional resources for reviews of university procedures, increased rigor and fre-
quency of audits, and an incalculable damage to the university’s reputation. The
federal prosecutor acknowledged that UW’s efforts to reform its compliance pro-
gram have been “outstanding” (Chan 2004). He further noted that since the law-
suit was filed, the university “has radically restructured their compliance office.
The government is very pleased with the efforts the UW is taking to take care of
these errors.”
Leadership from the Top: President Outlines the Charge
At the time of the medical billing scandal, Lee L. Huntsman was president of
UW. Huntsman had formerly been the acting provost, associate dean for scien-
tific affairs at the school of medicine, and a professor of bioengineering. The UW
Board of Regents had appointed Huntsman in a special session when Richard
McCormick, the incumbent, accepted the presidency at Rutgers. Huntsman served
for 18 months as president and continued as Special Assistant to the President and
Provost for Administrative Transition until 2005 and as a senior adviser to the uni-
versity for several more years. Mark A. Emmert, former chancellor of Louisiana
State University and a UW alumnus, was appointed as the 30th president of UW
and professor with tenure at the Evans School on June 14, 2004.
In April 2005, President Emmert charged V’Ella Warren, Vice President
for Financial Management, and David Hodge, Dean of the College of Arts and
Sciences, with conducting a preliminary review of best practices in compliance
and enterprise risk management in corporate and higher education institutions.
Warren engaged the Executive Director of Risk Management, Elizabeth Cherry,
and the Executive Director of Internal Audit, Maureen Rhea, to conduct a literature
search on enterprise risk management, particularly in higher education. Cherry
and Rhea engaged Andrew Faris, risk management analyst, to assist, and the three
spent nearly two years (from 2004 to 2006) conducting the literature search and
finding out how risk management was functioning on other campuses. As they
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 159
conducted their research, they continued to report their findings to Vice President
Warren. They also piloted the risk assessment process with various departments
at UW.
Based on their findings and discussions with Vice President Warren, a draft
report was compiled to provide initial guidance of the development of a UW-
specific framework. The report provided an overview of various approaches to
compliance, described best practices at four peer universities (University of Texas
system, University of Minnesota, University of Pennsylvania, and Stanford Uni-
versity), identified the common problems encountered in several recent compli-
ance problems at UW, and offered suggestions for actions that UW might take in
the effective management of compliance and risk. President Emmert then charged
Warren and Hodge to cochair the recommended Strategic Risk Initiative Review
Committee (SRIRC). The role of the SRIRC was to continue to investigate best prac-
tices in university risk management and make recommendations about a structure
and framework for compliance that would fit the UW culture. In a memo to the
SRIRC regarding that review, Warren and Hodge noted that they had “developed
a framework for university-wide risk and compliance management which builds
on [UW]’s decentralized and collaborative character.” President Emmert also made
it clear that the proposed model should be driven by UW’s core values as well as
promote “effective use of people’s time and energy.” In a memo to the deans and
cabinet members in 2005, President Emmert declared that UW did not “want or
need another layer of bureaucracy.”
The SRIRC was comprised of broad university representation, including
the Executive Vice President, the Associate Vice President for Medical Affairs,
the Senior Assistant Attorney General, the Vice Provost-elect for Research, the
Vice Provost for Planning and Budgeting, the Chancellor of the University of
Washington–Tacoma, the Athletic Director, the Dean of the School of Public Health
and Community Medicine, the Provost and Vice President for Academic Affairs,
the Dean of the School of Nursing, the Special Assistant to the President for Exter-
nal Affairs, the Vice President of Student Affairs, two faculty members, and two
students. Meeting throughout the fall semester, the SRIRC reviewed the prelim-
inary research material provided by Hodge and Warren and their team and dis-
cussed a variety of issues, including the structure for risk management, how risk
assessment has been and could be conducted, communication issues, methods for
reporting risks, ways to report progress, and others. For each initiative, they asked
the following three questions: Does this proposal add value? What obstacles are appar-
ent and how can they be addressed? How could this proposal be improved?
In addition to formal meetings, Cherry, Rhea, and Faris conducted one-on-one
meetings with the SRIRC members to gather more information about how they
viewed implementation at the university. Because one of the recommenda-
tions was the creation of a Compliance Council, meetings were also conducted
throughout the campus with director-level personnel to survey their interests
and suggestions regarding that aspect of the proposed model. Prior to the formal
implementation of the ERM program, resources were also dedicated to create an
infrastructure to sustain the recommended model. Faris’s role as risk manager
was formally revised to create a full-time ERM analyst position within the Office
of Financial Management in the Finance and Facilities division and a half-time
ERM project manager position was created, filled by Kerry Kahl.
www.it-ebooks.info

http://www.it-ebooks.info/

160 Implementing Enterprise Risk Management
Advisory Committee Recommendations: Create a
Culture-Specific ERM Program
In February 2006, Hodge and Warren put forth to President Emmert a Collabora-
tive Enterprise Risk Management Proposal developed by the SRIRC. The proposal
recommended that “the UW adopt an integrated approach to managing risk and
compliance, commonly called enterprise risk management (ERM).” They acknowl-
edged that the proposed changes were not intended to “replace what already
works across the university,” but rather to “augment the existing organization with
thoughtful direction, collaboration, and communication on strategic risks” (Collab-
orative ERM Final Report, February 13, 2006). At the outset, the SRIRC acknowl-
edged that the structure and priorities of the ERM program would likely evolve
and develop over time, but the members of the committee were confident that
they had created a “strong, yet flexible framework within which to balance risk
and opportunity” (February 14, 2006, memo to President Emmert).
While the report acknowledged the impetus for the creation of the ERM pro-
gram (the $35 million compliance failure fine), it focused on the positive impact
an ERM program could have for UW, beyond addressing compliance concerns.
The report defined key terms and made recommendations based on three basic
parameters: scope of the framework, organizational structure for the framework,
and philosophy of the program. Each aspect was framed in the context of the liter-
ature review and campus comparisons; UW-specific recommendations were put
forth based on SRIRC discussion and analysis.
Scope of the Risk Framework
The report reviewed and discussed the various approaches taken by organizations
in practicing risk management, from a basic practice of risk transfer through insur-
ance to a more integrated institution-wide approach. It acknowledged that, prior
to implementation, some key decisions would need to be made: Would the scope
of the program be institution-wide or targeted at the school, college, or unit level?
Would it include all risks (compliance, finances, operations, and strategy) or be
focused on certain categories of risk? ERM was cited as “the most advanced point
on the continuum,” a model that integrates risk into the organization’s strategic
discussions. The report also summarized a Centralized Compliance Management
approach. This model, rather than encompassing all risks, would focus primarily
on legal and regulatory compliance. It was noted that “while both are university-
wide approaches, they vary in a number of important aspects, including scope,
objective, and benefits” (p. 6).
The report also summarized the ERM models at four IHEs, based on interviews
with compliance and audit managers at those institutions. Noting that all four were
institution-wide approaches, Pennsylvania and Texas were identified as having
adopted a more corporate philosophy; Minnesota, a compliance approach with a
centralized style; and Stanford, a collaborative ERM approach (see Exhibit 9.5). The
report recommended developing a “collaborative, institution-wide risk manage-
ment model” for UW, one that “ensures that UW creates an excellent compliance
model based on best practices, while protecting its decentralized, collaborative,
and entrepreneurial culture” (p. 28).
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 161
Minnesota
Stanford
Pennsylvania
Texas•



Washington
Enterprise
Risk
Management
Centralized
Compliance
Management
Control
Collaboration
Exhibit 9.5 UW’s Approach to Risk Management Compared to Other Institutions
From University of Washington Collaborative Enterprise Risk Management Final Report, February 13,
2006.
Organizational Structure
Based on a review of the literature and discussions with risk and audit managers
at other universities, the report also summarized various models and structures
for organizing the risk management activities. One method was to appoint a cen-
tral risk officer with institution-wide oversight and responsibility. With this model,
key decisions would need to be made regarding reporting lines and the placement
of that position within the organization. The report also outlined UW’s current
approach to risk management, noting that it had moved beyond the insurance
approach, “which is usually reactive and ad hoc,” but also observing that respon-
sibility for specific risks was currently distributed among the institution’s orga-
nizational silos (p. 15). It further noted that “the UW does not formally integrate
risk and compliance into its strategic conversations at the university-wide level”
(p. 15). While acknowledging the good progress being made in several areas
(including UW Medicine, the newly restructured Department of Audits, and the
Office of Risk Management), the report highlighted the weaknesses of the current
approach, including the fact that “due to the size, decentralization, and complexity
of the institution, a proliferation of compliance, audit, and risk management activ-
ities has grown up around separate and distinct risk areas, each largely operating
in a self-defined stovepipe” (p. 18).
Philosophy of the Program
The report also discussed the philosophy of a proposed risk management pro-
gram, asking whether the preferred approach should focus on enforcing law and
regulation—a compliance or control approach—or be one that “encouraged coop-
eration between faculty and staff to develop flexible compliance approaches—a
collaborative approach” (p. 2). After sharing the findings from the literature review
www.it-ebooks.info

http://www.it-ebooks.info/

162 Implementing Enterprise Risk Management
and the institutional profiles of the peer institutions, the report outlined three guid-
ing principles to shape the evolution of compliance and risk management at UW:
(1) foster an institution-wide perspective, (2) ensure that regulatory management
is consistent with best practices, and (3) protect UW’s decentralized, collaborative,
entrepreneurial culture. In light of these principles, the report made the following
eight recommendations, detailing the key elements and implementation sugges-
tions for each:
1. Integrate key risks into the decision-making deliberations of senior leaders
and Regents.
2. Create an integrated, institution-wide approach to compliance.
3. Ensure that good information is available for the campus community.
4. Create a safe way for interested parties to report problems.
5. Minimize surprises by identifying emerging compliance and risk issues.
6. Recommend solutions to appropriate decision makers.
7. Check progress on compliance and risk initiatives.
8. Maintain a strong audit team.
EVOLUTION OF ERM AT UW
The SRIRC report acknowledged that the ERM concept was not new, but that it has
not been fully implemented at many organizations, especially in higher education.
The development of risk management within an organization was discussed, not-
ing that the management of risk develops along a continuum, with early mod-
els focused on hazard risks only and mitigation being accomplished primarily
through the purchase of insurance. As risk models evolve at an organization, other
risk types are added to the model and more cross-functional participation by other
units begins to occur. Ultimately, strategic risks are added to the conversation and
there is an integration of information from all units across the university. It is at
this point that risk can be viewed as both an opportunity and a threat and where
mitigation priorities can be more clearly linked to the strategic objectives of the
organization.
In 2006, when the ERM program and model were proposed, UW viewed itself
as being in the middle of the continuum (see Exhibit 9.6). The report noted:
Although many operational units, committees, and administrative bodies handled
the risks faced in their own environments well, there is little cross-functional shar-
ing of information. The opportunity aspect of risk is therefore not fully utilized
by the University and risk mitigation priorities are not consistently driven by the
institution’s strategic objectives. (p. 4)
The 2012 ERM Annual Report observes that “the ERM program has continued
to evolve, developing structural mechanisms to support the 8 initial recommenda-
tions” (p. 2).
Faris and Kahl commented that the first few years of implementation of ERM
at UW were focused on risk assessments. They spent most of their time (both work-
ing with the ERM committees and in their roles as ERM staff) performing risk
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 163
UW Evolution of ERM
Risk Categories
Strategic – Mega
Financial
Operational
Compliance
Separate Partial Full
Functions – – – – – Integration – – – – –
Degree of Cross – Functional Integration
What we have accomplished
Where UW’s program is headed
Exhibit 9.6 Evolution of ERM at the University of Washington
From University of Washington 2009 ERM Annual Report, p. 4.
assessments using the risk mapping process (e.g., writing a risk statement, ranking
the risks for likelihood and impact, plotting the risks on a 5 × 5 map). In the first
four or five years, they conducted nearly 35 risk assessments across the univer-
sity. Based on broad cross-functional topics identified by the President’s Advisory
Committee on ERM (PACERM), the risk assessments were facilitated by Faris and
Kahl with temporary teams put together to meet three to five times over the course
of the year to write risk statements, rank them, and put together suggestions for
mitigation.
The first five years of ERM at UW were “formative” and focused on the fol-
lowing key activities:
� Developing a common language around risk
� Conducting individual risk assessments
� Focusing discussion and mitigation on financial and enrollment challenges
� Comparing financial strength (as gauged by Moody’s Investors Service)
against peers
� Drafting an initial compendium of enterprise-wide success metrics
Well-written, clear annual reports to the president, the Board of Regents, and
the UW community helped to connect the dots and keep the strategic overar-
ching goals front and center, even as employees at the unit level were continu-
ously engaged in the more operational aspects of ERM. Exhibit 9.7 summarizes
the implementation time line from the formalized inception of ERM at UW to the
present. A review of the chart shows how the UW has continued to focus on mov-
ing from an initial focus on hazard risk to a more integrated, strategic approach to
enterprise risk management.
www.it-ebooks.info

http://www.it-ebooks.info/

164 Implementing Enterprise Risk Management
Exhibit 9.7 University of Washington ERM Implementation Time Line
Academic
Year Initiatives∗
2005–2006 President Emmert charged administrators with review of best practices and
development of broad institutional compliance/risk framework for UW.
Warren and Hodge drafted report with overview of institution-wide
approaches, best practices at four peer universities, common compliance
problems faced by UW, and suggestions for next steps.
2006–2007 Developed a central focus and common language for evaluating risk across
the university.
ERM structure formed (including PACERM, Compliance Council).
First UW-wide risk map was compiled.
Office of Risk Management dedicated one FTE to ERM initiative.
Dedicated $4.8 million in funds for integrity/compliance/stewardship
initiatives, including animal care, student life counseling, human subjects,
global activities, and IT security.
Information about ERM program included in reinsurance renewal
discussions with international underwriters.
First Annual Report to the Board of Regents.
2007–2008 Identified key strategic and mega risks for the institution.
Expanded Compliance Council to form COFi.
Rolled out Enterprise Risk Management Toolkit for units to do
self-assessments.
UW Medicine and Department of Athletics presented annual reports on their
compliance programs and ongoing efforts to minimize risks and address
current issues.
Continued development of the Institutional Risk Register.
Internal Audit department expanded from nine to 15 staff.
2008–2009 Focused on financial crisis and demographics.
PACERM formed two mega-risk subgroups to apply ERM processes at a
strategic level: extended financial crisis and faculty recruitment and
retention.
HR advance planning for economic downturn and major reduction in state
funding.
Office of Risk Management conducted first Employment Practices Liability
Seminar.
ERM web pages were enhanced.
Hired a new Executive Director for Audits.
Second ERM Report to the Board of Regents.
2009–2010 Development of the UW Integrated Framework based on COSO model.
PACERM focused discussion on how to remain competitive.
Initial exploration of enterprise-wide dashboard of success metrics.
Use of risk assessments in business case alternatives and research proposals.
2010–2011 PACERM evaluated the university’s academic personnel profile and oversaw
major information technology projects.
Assessed institutional financial strength in comparison to peers (Moody’s).
More than 200 ERM Toolkits provided to universities and companies.
2011–2012 Development of enterprise-wide dashboard of success metrics.
UW’s work recognized as a “Best Practice” by the Association of Governing
Boards for Universities and Colleges (AGB).
∗All initiatives, including others not detailed in this chart, are outlined in more detail in the UW ERM
Annual Reports, available at the website: http://f2.washington.edu/fm/erm.
www.it-ebooks.info

http://f2.washington.edu/fm/erm.

http://f2.washington.edu/fm/erm

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 165
ERM STRUCTURE AT UW
The organizational structure for ERM at UW arose out of the initial recommen-
dations of the SRIRC. In its aggregate, the UW ERM program is comprised of the
following areas, working together to create an effective structure: UW units; ERM
staff; Compliance, Operations, and Finance Council (COFi Council); President’s
Advisory Committee on ERM (PACERM); Internal Audit; and the UW President
and Provost (see Exhibit 9.8).
UW Units
At the unit level, staff and faculty take ownership of the activities that give rise
to risk. They conduct risk and opportunities identification and self-assessments.
They develop strategies and take action to mitigate and monitor risk. They are
encouraged to share a summary of their risk assessments with the Office of Risk
Management.
ERM Program Staff
There are 1.5 full-time equivalent (FTE) ERM program staff located in the office of
the associate vice president/controller for UW. This staff supports the work of the
various committees and units, in part by establishing the ERM framework, stan-
dards, and templates. They monitor and participate in risk assessments for the pur-
pose of providing the enterprise view. They provide administrative support and
University President and Provost UW Environment (e.g., right side of cube)
President’s Advisory Committee
on Enterprise Risk Management (PACERM)
Entity Level
(e.g., top-down view of strategic risks,
mega risks, and opportunities)
Compliance, Operations, Finance Council (COFi)
Division or Function Level
(e.g., middle up, cross-functional view of
compliance, operations, and financial risks)
Research
Academic
Affairs
Athletics
Health
Care
Risk and
Safety
Finance
Information
Technology
Human
Resources
Eight functional areas of risk
Core Functions Support Services
Attorney
General
Risk
Management
Environmental
Health & Safety
Unit Level
(e.g., bottom-up view of risks and opportunities)
Examples of UW Units
Exhibit 9.8 University of Washington ERM Structure
From University of Washington 2010 ERM Annual Report, p. 10.
www.it-ebooks.info

http://www.it-ebooks.info/

166 Implementing Enterprise Risk Management
summary information and analyses to the ERM committees. They also provide
professional development in a train-the-trainer format.
Compliance, Operations, and Finance Council (COFi)
The COFi Council, led by the Executive Director of Audits, takes a middle-up,
cross-functional view of risks and opportunities, particularly items that have
university-wide potential impact or where supervisory authority for various
aspects of the risk reside in different departments or divisions across the univer-
sity. The COFi Council has oversight of risk assessments at the division or func-
tional level. It provides approval of methods to monitor risks and identifies topics
for outreach, particularly items that have university-wide potential impact or that
involve cross-departmental or divisional silos. The six primary goals of the COFi
Council are to:
1. Engage in a continual, cross-functional process that results in effective prior-
itization of institutional responses to compliance, financial, and operational
risks, and consider the impact to strategic and reputational risks.
2. Ensure that the institutional perspective is always present in risk and com-
pliance management discussions.
3. Identify strategies to address emerging risks and compliance management
issues.
4. Support risk and compliance management training and outreach efforts
throughout the university.
5. Provide external auditors and regulators with information about the uni-
versity’s risk and compliance programs.
6. Avoid the creation of additional bureaucracy by minimizing redundancy
and maximizing resources.
President’s Advisory Committee on ERM (PACERM)
PACERM, cochaired by the Provost and the Senior Vice President for Finance and
Facilities, has oversight of risk assessments at the entity level. Taking a top-down
view of risks and opportunities, PACERM advises the university president and
other senior leaders on the management of risks and opportunities that may signif-
icantly impact strategic goals and/or priorities. They review the ERM dashboard
(e.g., key risk indicators and key performance indicators). According to V’Ella
Warren and Ana Mari Cauce, cochairs of PACERM in 2008–2009, PACERM “is the
one place where participants set aside their individual organizational perspectives,
and really think about the major risks and opportunities from an institution-wide
view” (2009 ERM Annual Report, p. 6).
Internal Audit
Internal Audit provides independent verification and testing of internal controls.
The department also provides administrative support and summary information
to the COFi Council.
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 167
UW President and Provost
The President and Provost play a key role in acknowledging, validating, and sup-
porting the ERM program. They verbally refer to key documents such as the ERM
framework, PACERM and COFi Council charters and assessments, and the ERM
dashboard. They provide entity-level reporting to the Regents.
UW’S ERM MODEL
After a careful review of models in the corporate sector and within higher educa-
tion, UW settled on the following regarding its ERM model:
� Assess risks in the context of strategic objectives, and identify interrelation
of risk factors across the institution, not only by function.
� Cover all types of risk: compliance, financial, operational, and strategic.
� Foster a common awareness that allows individuals to focus attention on
risks with strategic impacts.
� Enhance and strengthen UW’s culture of compliance while protecting the
decentralized, collaborative, entrepreneurial nature of the institution.
Adopting and Adapting the COSO Model
UW has defined ERM according to its interpretation of the Committee of Spon-
soring Organizations (COSO) model, adapting the framework to fit the university
environment and the UW in particular (see Exhibit 9.9). COSO describes ERM
University of Washington
Enterprise Risk Management – Integrated Framework
Op
era
tio
ns
ERM
Process
Risk
Categories
Leadership, Culture, Values
Strategic Goals
Risk / Opportunity Identification
Risk / Opportunity Assessment
A
lternatives
U
nit Level
D
ivision or Function Level
E
ntity LevelResponse
Control Activities
Information & Communication
Monitoring & Measuring
UW
En
viro
nm
en
t
Co
mp
lia
nc
e
Fin
an
cia
l
St
rat
eg
ic
Me
ga
Exhibit 9.9 University of Washington’s ERM Integrated Framework
From University of Washington Enterprise Risk Management Toolkit, p. 7. Copyright 2007, University
of Washington.
www.it-ebooks.info

http://www.it-ebooks.info/

168 Implementing Enterprise Risk Management
as “a process, effected by an entity’s board of directors, management, and other
personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be within
its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives” (COSO 2004). Adopted in 2009–2010, the 2010 ERM Annual
Report notes:
The UW ERM Integrated Framework offers a schema to integrate the views of risk
that have historically been addressed in silos or through a fragmented approach.
The ERM framework bridges the gap between lower-level issues and upper-level
issues, and it allows us to be explicit about the multiple levels on which the ERM
process is deployed as a risk and/or opportunity management mechanism. (p. 4)
Risk Categories
The top of the cube identifies risk types, including compliance, operations, and
financial risks. Strategic risks can impact the mission. Mega risks are major external
events over which the institution has no control, but for which the institution can
prepare.
UW Environment
The right side of the cube views the organizational structure at three levels: entity,
which entails all operations and programs; division or function, looking at a major
risk in depth; and unit, where individual departments can use the tools to assess
their risks. A fourth level of ERM used in the UW environment is to evaluate
alternatives.
ERM Process
The front of the cube outlines the traditional eight steps from the COSO model,
including setting the tone and context for ERM at the top, identifying risks in con-
junction with strategic goals, and through the complete cycle with implementation
and follow-up.
The report notes:
UW’s “cube” integrates the several ERM facets into a whole, and enables ERM to
be applied in a very intentional manner: Starting any new risk assessment requires
identifying the appropriate level of the organization or environment at which the
assessment will be made; focusing on which set of risks (compliance—strategic—
mega risks) to cover; and applying all the steps in the ERM cycle to ensure a com-
plete assessment and follow through.
The UW views ERM as integrating risk discussions into strategic deliberations
and identifying the interrelation of risk factors across activities. Using the COSO
model, its eight-step process involves the following (see Exhibit 9.10):
1. Leadership, culture, and values. Setting the tone at the top.
2. Strategic goals. At the entity or institutional level (top down), the division
or function level (risk topic across shared goals of VPs and deans—”middle
up”), the unit level (such as a department, school, or college—bottom up),
or the alternatives level (investment alternatives or business options).
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 169
ERM PROCESS
Leadership, Culture
and Values
Strategic
Goals
Risk
Identification
Risk
Assessment
Controls
Response
Monitoring and
Measuring
Information and
Communication
Exhibit 9.10 University of Washington ERM Process
From University of Washington Enterprise Risk Management Toolkit, p. 8. Copyright 2007, the
University of Washington.
3. Risk identification. In the appropriate context, name the harm, loss, or com-
pliance violation to avoid, as well as the opportunities to be identified.
This typically begins with listing broad risk activities or subject areas. Risks
can be identified at the entity, division, functional, unit, or alternatives
level. This process includes the use of risk statements and opportunity
identification.
4. Risk assessment. In the appropriate context, analyze the risk or opportunity
in terms of likelihood and impact (see Exhibit 9.11). Create a risk map, rank-
ing or prioritizing risks to inform decisions regarding response. For oppor-
tunities, rate the likelihood of occurrence on a scale of 1 to 5 (1 = rare, not
expected to occur in the next five years; 5 = almost certain, expected to occur
more than once per year). Also rank the positive impact, considering what
impact the opportunity would have on the institution’s ability to achieve
goals or objectives (1 = insignificant, with little or no impact on objectives
and no impact to reputation and image; 5 = outstanding, could significantly
enhance the capability to meet objectives and could significantly enhance
reputation and image).
5. Response. Selecting the appropriate response involves comparing the cost
of implementing the option against benefits derived from it. Responses
include avoid, mitigate, transfer, or accept the risk. For opportunities, the
response can be exploit, enhance, share, or ignore.
6. Controls. Document internal controls for top risks, and rank for effective-
ness. For UW, internal controls are narrowly defined to describe the meth-
ods used by staff or faculty that help ensure the achievement of goals and
objectives, such as policies, procedures, training, and operational and phys-
ical barriers.
www.it-ebooks.info

http://www.it-ebooks.info/

170 Implementing Enterprise Risk Management
IM
P
A
C
T
Catastrophic
– 5 –
Disastrous
– 4 –
Serious
– 3 –
Minor
– 2 –
Insignificant
– 1 –
5
4
3
2
1
Rare
– 1 –
10
8
6
4
2
Unlikely
– 2 –
15
12
9
6
3
Possible
– 3 –
20
16
12
8
4
Likely
– 4 –
25
20
15
10
5
Almost Certain
– 5 –
LIKELIHOOD
Risk Level
Extreme
High
Substantial
Medium
Low
Score Range
19.5 – 25
12.5 – 19.4
9.5 – 12.4
4.5 – 9.4
1 – 4.4
Exhibit 9.11 University of Washington Risk Assessment: Likelihood and Impact
From University of Washington Enterprise Risk Management Toolkit, p. 17. Copyright 2007, the
University of Washington.
7. Information and communication. Communicate with stakeholders and take
action (the transition from analysis to action). Designate a risk owner for
each of the top risks.
8. Monitoring and measuring. Monitor performance to confirm achievement
of goals and objectives, and monitor risk to track activities that prevent
achievement of goals and objectives.
Tools and Techniques
As its ERM program has developed and evolved, UW has learned from its expe-
rience and is positioned to share information not only internally, but with oth-
ers in higher education as well. The university has developed a comprehensive
Enterprise Risk Management Toolkit, copyrighted in 2007, with the second edition
released in 2010. The second edition includes an expanded section on the ERM pro-
cess and has new material on evaluating opportunities. It is comprised of a manual
and a set of spreadsheets that provides a framework for assessing and understand-
ing institutional risks. The UW allows access to the Toolkit for UW staff, faculty,
and students, federal agencies, Washington State agencies, and other institutions
of higher education at no charge through the UW Center for Commercialization
Express Licensing Program.
As is typical with most universities, the tools utilized by UW for conducting
the risk assessment process are Microsoft Office products. Excel is used to catalog
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 171
risk assessment inventories and Word for report writing. While the administrators
have explored many options for software to aid in the process (and to potentially
provide outcomes such as dashboards), they find that, having been developed in
the corporate for-profit environment, none of those options are particularly suited
to capturing the needs of the higher education environment. They note, however,
that at the unit level, many departments are investing in unit-specific software to
aid in their data management. For example, the Finance and Budgeting Office is
investigating software to run stress tests and financial simulations, and the Human
Resources Office is examining payroll software. This allows the units to be able to
more quickly evaluate risk specific to their areas, but UW finds that its ability to
aggregate risks for examination at the entity level can be accomplished effectively
with its low-tech process.
OUTCOMES AND LESSONS LEARNED
UW administrators can chart the evolution of their ERM program and the effec-
tiveness it has on the university. They note that the early wins were at the unit
level, when specific departments, such as Information Security and Environmental
Health and Safety, integrated the ERM process with their well-established strategic
planning processes. Those units used the risk assessment tools to identify and rank
risks that could hinder or prevent the achievement of their strategic goals. Integra-
tion of ERM at the entity level is happening more slowly, but issues that impact
everyone at the UW, such as faculty recruitment and retention or responding to
the external financial crisis, now can happen in a more integrated fashion as the
understanding of ERM evolves. For several years, due to severe budget reductions,
the Office of Planning and Budgeting consciously added some questions about
risk assessment into the budget request process. Vice presidents and deans were
asked to address the impact of budget reductions in terms of risk. This happened,
in part, because two key members of the Budget and Planning Office, as well as
the Provost, have been involved with the PACERM.
UW administrators have a few other observations about their process and how
and why it has worked. First, they note that they were aware from the outset that
the environment at UW is highly decentralized and that appointing an “ERM czar”
or chief risk officer (CRO) wouldn’t fit with the culture. They made a deliberate
choice not to formalize ERM through a senior-level position, but rather to engage
in implementation through a committee structure. Second, they involved faculty
members from the beginning. This helped with a sense of shared purpose. Faculty
members came to see the business side of academia, and staff and administrators
better understood the point of view of scholars engaged in teaching and learning.
Third, the senior leadership has stayed dedicated to the ERM process, even with
transitions in the president and other senior administrators. The 2011 ERM Annual
Report points out the benefits to the UW of the ERM approach:
The value of ERM is both qualitative (e.g., risk and opportunity maps) and quanti-
tative (e.g., dashboards to contextualize and display metrics). Qualitative benefits
accumulate because the risk mapping process allows groups throughout the Uni-
versity to collectively prioritize issues, and ensure that the effort and resources
involved in root cause analysis, measurement, and monitoring are applied only
www.it-ebooks.info

http://www.it-ebooks.info/

172 Implementing Enterprise Risk Management
to the most significant concerns. Each iteration of the ERM process results in
new capabilities, and insight gained into maintaining the University’s competitive
advantage—particularly from managing our financial risks and strategic opportu-
nities better than our peers. (p. 5)
UW has been strategic, deliberate, and inclusive as it continues on its journey
to develop and enhance its ERM program, learning lessons from what works and
adapting new strategies in order to improve or modify its program. ERM began
at UW in 2006 “by establishing a collaborative approach and structure to consider
broad perspectives in identifying and assessing risk” (2012 Annual Report, p. 3).
This strategy has helped UW overcome some of the traditional challenges fac-
ing universities when implementing ERM, including addressing concerns about
the real effectiveness of risk assessment, getting agreement on definitions of risk
assessment impact, identifying risk owners, and moving beyond the “risk discus-
sion” to focus on mitigation (2012 Annual Report, p. 3). In her November 2012 pre-
sentation on UW’s ERM program to the Pacific Northwest Enterprise Risk Forum,
Ann Anderson, Associate VP and Controller, outlined the following seven key
lessons that UW has learned by engaging in ERM for almost eight years:
1. Clarify the roles of the various risk committees.
2. Develop a “work plan” for the committees.
3. Develop engaging agendas, focused at the appropriate level.
4. Don’t overemphasize “lowest common denominator” risks.
5. Gather data/information to develop expertise on specific risks.
6. Avoid discussing low-level, narrow risks—too time-consuming!
7. Don’t get into the weeds with implementation and process. Delegate actions
to responsible parties.
WHAT NEXT?: CURRENT PRIORITIES
AND FUTURE DIRECTION
As the 2010 ERM Annual Report points out, the process of involving people in
risk assessments, even with the most well-developed risk assessment tools, is only
part of the process. “Successfully maintaining a large-scale organizational initia-
tive such as ERM requires a comprehensive, broad based approach that is widely
understood and used regularly to clearly articulate where risks and opportunities
exist throughout the University” (p. 4). As ERM moves forward at UW, the focus is
on a “greater refinement of institutional success metrics, increased assessments of
risks identified, and continued expansion across the university to incorporate risk
assessment into decision-making and strategic planning” (2012 Annual Report,
p. 2). The objectives for 2013–2014 are: (1) strengthen oversight of the top risks and
(2) enhance coordination and integration of ERM activities with decision-making
processes. Several initiatives will help UW achieve these objectives, including seek-
ing input and approval from the PACERM in order to elevate the monitoring of
the top risks; a comparison of the institutional-level risks with unit-level risks; the
development of quantitative visual representations of the risks, metrics, and tar-
gets; engaging the community more broadly in risk management; integrating risk
www.it-ebooks.info

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 173
management with the budget and planning cycle for the university; a retrospec-
tive analysis of risks and mitigation investments; and a forward-looking analysis
to highlight gaps and areas of concern. They are also in the process of developing
specific deliverables and measures as indicators of success, such as executive-level
risk registers, dashboards of key risks, and a foundation and structure to integrate
risk maps and dashboards with the planning and budgeting cycle.
CONCLUSION
UW’s ERM implementation process and lessons learned are consistent with the
guidance offered by the National Association of College and University Attorneys
(NACUA). In a 2010 conference presentation, NACUA identified the following
eight critical success factors:
1. Establish the right vision and realistic plan.
2. Obtain senior leadership buy-in and direction.
3. Align with mission and strategic objectives.
4. Attack silos at the outset.
5. Set objectives and performance indicators.
6. Stay focused on results.
7. Communicate vision and key outcomes.
8. Develop a sustainable process versus a one-time project.
While complex and time-consuming, effective development of a culture-
specific ERM program can have positive outcomes for colleges and universities.
Institutions such as UW that view ERM as a long-term investment in institutional
health, rather than a fad or simply a set of tools (such as spreadsheets and heat
maps), position themselves well not only to respond to the external demands from
credit ratings agencies, accreditors, and federal regulators, but to situate them-
selves to make key strategic decisions, informed by both quantitative and qual-
itative data, to enhance their organization, leading to increased enrollment and
graduation and strategic disbursement of resources for teaching and research, as
well as increasing the likelihood that, due to their integrated, proactive approach,
they will avoid future compliance scandals. Perhaps the two most important deliv-
erables on UW’s 2013–2014 agenda are those that demonstrate its awareness of
the importance of the human resources component in its collegial environment:
outreach to faculty and other administrators to obtain broader validation of risks
and to identify additional mitigation activities, and an iterative process to involve
senior leaders, the Provost, the President, and the Regents in monitoring the top
risks. Through this process, UW is building a culture not only of compliance, but
of shared responsibility for the future health of the university.
QUESTIONS
1. How does ERM adoption and implementation in the higher education environment
differ from the for-profit environment?
2. What type of culture is at the University of Washington? Why is culture important to
consider when implementing ERM?
www.it-ebooks.info

http://www.it-ebooks.info/

174 Implementing Enterprise Risk Management
3. What were some of the key factors in the early stages of UW’s ERM adoption and imple-
mentation that led to its current success within the organization?
4. Why did UW decide to adopt a committee structure to administer its ERM program
rather than designate a senior level Chief Risk Officer?
5. Who are some of the key players involved in the decision-making about the ERM model
and its current administration?
NOTES
1. Many colleges and universities were affected by Hurricane Katrina in the New Orleans
area (see the American Association of University Professors [AAUP] Special Commit-
tee Report on Hurricane Katrina and New Orleans Universities at https://portfolio
.du.edu/downloadItem/92556). The independent report by Louis Freeh and his law
firm, Freeh Sporkin & Sullivan, LLP, documents the facts and circumstances of the
actions of Pennsylvania State University surrounding the child abuse committed by
a former employee, Gerald A. Sandusky (available at http://progress.psu.edu/the-
freeh-report). The AAUP’s Committee on College and University Governance
reported on breakdowns in governance at the University of Virginia as the
board attempted to remove president Sullivan (www.aaup.org/report/college-
and-university-governance-university-virginia-governing-board). American Univer-
sity trustees removed then president Ladner in 2005 after investigation of expense
abuses of university funds (http://usatoday30.usatoday.com/news/education/2005-
10-11-au-president_x.htm). The most tragic of these situations was, of course, the shoot-
ings at Virginia Tech on April 16, 2007. On December 9, 2010, the U.S. Department of
Education issued a final ruling that Virginia Tech had violated the Clery Act by fail-
ing to issue a “timely warning” to students and other members of the campus commu-
nity following the initial shootings early on the morning of April 16, 2007. In comment-
ing on the verdict, Stetson Professor of Law Peter Lake stated, “Higher education is
under the microscope now. The accountability level has definitely changed” (S. Lipka,
“Jury Holds Virginia Tech Accountable for Students’ Deaths, Raising Expectations at
Colleges,” Chronicle of Higher Education, March 14, 2010).
2. In order to disperse federal financial aid and grant degrees, institutions in the
United States are accredited by one of several accrediting bodies. One example of
the way in which accreditors are emphasizing risk management in their review is the
Southern Association of Colleges and Schools Commission on Colleges (SACS COC)
(www.sacscoc.org/) Standard 3.10.4: The institution demonstrates control over all of
its physical and financial resources. The University of Virginia demonstrates evidence
of this standard on its website by articulating the organizational structure and inte-
grated policies and procedures related to internal and external audit, internal controls,
fixed assets, procurement, facilities management, and risk management, among others
(www.virginia.edu/sacs/standards/3-10-4.html).
3. The recent Special Comment by Moody’s, “Governance and Management: The Under-
pinnings of University Credit Ratings,” declares that “governance and management
assessments often account for a notch or more in the final rating outcome compared
with the rating that would be indicated by purely quantitative ratio analysis” (Kedem
2010, p. 1). In Moody’s consideration of five broad factors that contribute to its eval-
uation of governance and management, the report cites “oversight and disclosure
processes that reduce risk and enhance operational effectiveness” (p. 2). The report
further notes: “Effective internal controls and timely external disclosure about stu-
dent outcomes, research productivity, financial performance, and organizational effi-
ciency will become the hallmark of effective university leadership and will become
www.it-ebooks.info

https://portfolio.du.edu/downloadItem/92556

https://portfolio.du.edu/downloadItem/92556

http://progress.psu.edu/the-freeh-report

http://progress.psu.edu/the-freeh-report

http://progress.psu.edu/the-freeh-report

http://progress.psu.edu/the-freeh-report

www.aaup.org/report/college-and-university-governance-university-virginia-governing-board

www.aaup.org/report/college-and-university-governance-university-virginia-governing-board

http://www.aaup.org/report/college-and-university-governance-university-virginia-governing-board

http://www.aaup.org/report/college-and-university-governance-university-virginia-governing-board

http://usatoday30.usatoday.com/news/education/2005-10-11-au-president_x.htm

http://usatoday30.usatoday.com/news/education/2005-10-11-au-president_x.htm

http://usatoday30.usatoday.com/news/education/2005-10-11-au-president_x.htm

http://usatoday30.usatoday.com/news/education/2005-10-11-au-president_x.htm

www.virginia.edu/sacs/standards/3-10-4.html

www.virginia.edu/sacs/standards/3-10-4.html

Home

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 175
increasingly critical in mitigating new risks to individual universities and the sector
overall” (p. 3).
4. One significant area of change has been the Internal Revenue Service’s increased over-
sight of compliance issues affecting tax-exempt entities, including colleges and univer-
sities. In 2008, under prompting by members of the U.S. Senate Finance Committee, the
IRS developed a 33-page compliance questionnaire (IRS Form 14018) and sent it to a
cross section of 400 institutions of higher education. The form focused on a number of
potentially sensitive subjects, including the types and amounts of executive compen-
sation, the investment and use of endowment funds, and the relationship between an
institution’s exempt activities and other taxable business activities. The IRS also revised
its Form 990, “Return of Organization Exempt from Income Tax,” beginning with the
2008 tax year. The purpose of the changes is to increase the transparency and account-
ability of tax-exempt organizations and to ensure compliance with the Internal Revenue
Code by requiring more detailed information in several categories. The changes focus
not only on revenue, investment, and spending issues, but also on governance, conflicts
of interest, and whistle-blower policies and procedures.
5. Based on a March 13, 2012, phone interview.
6. The Higher Education Act, up for renewal again in 2014, is a law almost 50 years old
that governs the nation’s student-aid programs and federal aid to colleges. It was signed
into law in 1965 as part of President Johnson’s Great Society agenda of domestic pro-
grams, and it has been reauthorized nine times since then, most recently in 2008. Addi-
tional examples at the federal level include Section 504 of the Rehabilitation Act of 1973,
the Americans with Disabilities Act (ADA) (1990), Family Educational Rights and Pri-
vacy Act (FERPA) (1974, 1998, 2009), Health Insurance Portability and Accountability
Act (HIPAA) (1996), Clery Act (1990), and Campus Sex Crimes Prevention Act (2000),
among others. Lawsuits brought against institutions of higher education in which they
and/or certain administrators at those institutions are accused of violating a particular
federal law or a related legal right can lead to case decisions that impact that institution
and perhaps others. Lawsuits can also have a significant impact even if they result in a
settlement rather than a court decision. In May 2006, a group of 12 current and former
deaf students at Utah State University sued the institution in U.S. District Court alleg-
ing that it had violated the Rehabilitation Act and the ADA by failing to provide enough
fully qualified interpreters. The lawsuit also named the Utah State Board of Regents as
defendants. After negotiations, the lawsuit was settled in April 2007 with the univer-
sity agreeing to hire qualified, full-time interpreters at a ratio of one translator for every
two deaf students. The lawsuit, the issues it raised, and its ultimate resolution received
significant media attention, as well as attention from various organizations around the
country promoting the interests of students who are deaf or have hearing deficiencies.
7. Mitroff, Diamond, and Alpaslan (2006) note that “colleges and universities are in the
very early stages of establishing their crisis management programs, and much remains
to be done. The recent experience in New Orleans and elsewhere suggests that develop-
ing and maintaining a well-functioning crisis management program is an operational
imperative for college and university leaders” (p. 67).
8. One of those administrators was Elizabeth Cherry, Director of Risk Management, from
the University of Washington (UW). As will be discussed in the case study, the UW was
embroiled in several high-profile risk situations at the time and was undergoing the first
of several presidential transitions.
9. See A. P. Liebenberg and R. E. Hoyt, “The Determinants of Enterprise Risk Management:
Evidence from the Appointment of Chief Risk Officers,” Risk Management and Insurance
Review 6:1 (2003): 37–52. Their study uses a logistic model to examine the characteristics
of firms that adopt ERM programs, most of which signal the fact that they have an ERM
program through the hiring of a CRO.
www.it-ebooks.info

http://www.it-ebooks.info/

176 Implementing Enterprise Risk Management
10. Many thanks to Andrew Faris, Enterprise Risk Management Analyst at the Uni-
versity of Washington, and Kerry Kahl, ERM Project Manager at UW. They pro-
vided information via an interview in April 2012 that is incorporated throughout this
case study. Additional information for the case study comes from Annual Reports,
memos, and other documents found on the University of Washington ERM website:
http://f2.washington.edu/fm/erm.
REFERENCES
Abraham, Janice. 2013. Risk Management: An Accountability Guide for University and College
Boards. Washington, DC: Association of Governing Boards of Universities and Colleges
and United Educators.
American Society of Mechanical Engineers–Innovative Technologies Institute, LLC. 2010. A
Risk Analysis Standard for Natural and Man-Made Hazards to Higher Education Institutions.
Washington, DC: American National Standards Institute.
Arena, M., M. Arnaboldi, and G. Azzone. 2010. “The Organizational Dynamics of Enterprise
Risk Management.” Accounting, Organizations and Society 35:7, 659–675.
Association of Governing Boards of Universities and Colleges and United Educators. 2009.
The State of Enterprise Risk Management at Colleges and Universities Today. Available at
www.agb.org.
Barnds, W. Kent. 2011. “The Risky Business of the Strategic Planning Process.” University
Business. Available at www.universitybusiness.com/article/risky-business-strategic-
planning-process.
Birnbaum, Robert. 1988. How Colleges Work: The Cybernetics of Academic Organization and Lead-
ership. San Francisco: Jossey-Bass.
Bolman, Lee G., and Terrence E. Deal. 2008. Reframing Organizations: Artistry, Choice and
Leadership. San Francisco: Jossey-Bass.
Bush, Tony. 2011. Theories of Educational Leadership and Management (4th ed.). London: Sage
Publications.
Cassidy, D. L., L. L. Goldstein, S. L. Johnson, J. A. Mattie, and J. E. Morley Jr. 2001. “Devel-
oping a Strategy to Manage Enterprisewide Risk in Higher Education.” National Asso-
ciation of College and University Business Officers and PricewaterhouseCoopers. Avail-
able at www.nacubo.org/documents/business_topics/PWC_Enterprisewide_Risk_in_
Higher_Educ_2003 .
Chan, Sharon Pian. 2004. “UW Failed to Address Overbilling, Probe Finds.” Seattle
Times, May 1, 2004. Available at http://seattletimes.com/html/localnews/2001917467_
uwmed01m.html.
Chang, Jean. 2012. Skype interview, March 2.
Committee of Sponsoring Organizations of the Treadway Commission. 2004. Enterprise
Risk Management—Integrated Framework. Available at www.idkk.gov.tr/html/themes/
bumko/dosyalar/yayin-dokuman/COSOERM .
Committee of Sponsoring Organizations of the Treadway Commission. 2011. Internal
Control—Integrated Framework. Available at www.coso.org/documents/coso_framework
_body_v6 .
Freeh, Sporkin & Sullivan, LLP. 2012. “Report of the Special Investigative Counsel Regard-
ing the Actions of the Pennsylvania State University to Related the Child Sexual Abuse
Committed by Gerald A. Sandusky,” July 12. Available at http://progress.psu.edu/the-
freeh-report.
Gallagher Higher Education Practice. 2009. “Road to Implementation: Enterprise Risk
Management for Colleges and Universities.” Arthur Gallagher & Co. Available at
www.nacua.org/documents/ERM_Report_GallagherSep09 .
www.it-ebooks.info

http://f2.washington.edu/fm/erm.

http://f2.washington.edu/fm/erm.

www.agb.org

AGB Home

www.universitybusiness.com/article/risky-business-strategic-planning-process

www.universitybusiness.com/article/risky-business-strategic-planning-process

http://www.universitybusiness.com/article/risky-business-strategic-planning-process

http://www.universitybusiness.com/article/risky-business-strategic-planning-process

www.nacubo.org/documents/business_topics/PWC_Enterprisewide_Risk_in_Higher_Educ_2003

www.nacubo.org/documents/business_topics/PWC_Enterprisewide_Risk_in_Higher_Educ_2003

http://www.nacubo.org/documents/business_topics/PWC_Enterprisewide_Risk_in_Higher_Educ_2003

http://www.nacubo.org/documents/business_topics/PWC_Enterprisewide_Risk_in_Higher_Educ_2003

http://seattletimes.com/html/localnews/2001917467_uwmed01m.html

http://seattletimes.com/html/localnews/2001917467_uwmed01m.html

http://www.idkk.gov.tr/html/themes/bumko/dosyalar/yayin-dokuman/COSOERM

http://www.idkk.gov.tr/html/themes/bumko/dosyalar/yayin-dokuman/COSOERM

http://www.coso.org/documents/coso_framework_body_v6

http://www.coso.org/documents/coso_framework_body_v6

http://progress.psu.edu/the-freeh-report

http://progress.psu.edu/the-freeh-report

http://progress.psu.edu/the-freeh-report

http://progress.psu.edu/the-freeh-report

www.nacua.org/documents/ERM_Report_GallagherSep09

http://www.nacua.org/documents/ERM_Report_GallagherSep09

http://www.it-ebooks.info/

LESSONS FROM THE ACADEMY 177
Grant Thornton LLP. 2011. “Best-Practice Tips for Boards, Presidents and Chancel-
lors Regarding Enterprise Risk Management.” OnCourse, January. Retrieved from
www.grantthornton.com/staticfiles/GTCom/Not-for-profit%20organizations/
On%20Course/On%20Course%20-%20Jan%2011%20-%20FINAL .
Grasgreen, Allie. 2013. “Report Shows How Rutgers Botched Handling of Former Coach,
Reiterates 5-year-old Recommendations to Improve Athletics.” Inside Higher Education.
Available at www.insidehighered.com/news/2013/07/23/report-shows-how-rutgers-
botched-handling-former-coach-reiterates-5-year-old.
Gurevitz, Susan. 2009. “Manageable Risk.” University Business. Available at www.university
business.com/article/manageable-risk.
Helsloot, I., and W. Jong. 2006. “Risk Management in Higher Education and Research in the
Netherlands.” Journal of Contingencies and Crisis Management 14:3.
Huber, C. 2009. “Risks and Risk-Based Regulation in Higher Education Institutions.” Ter-
tiary Education and Management 15:2.
Kedem, K. 2010. “Special Comment: Governance and Management: The Underpinnings of
University Credit Ratings.” Moody’s Investors Service, Report 128850.
Mitroff, I. I., M. A. Diamond, and M. C. Alpaslan. 2006. “How Prepared Are America’s
Colleges and Universities for Major Crises?: Assessing the State of Crisis Management.”
Change 38:1, 61–67.
National Association of College and University Business Officers and the Association of
Governing Boards of Universities and Colleges. 2007. “Meeting the Challenges of Enter-
prise Risk Management in Higher Education.” Available at www.ucop.edu/riskmgt/
erm/documents/agb_nacubo_hied .
Nelson, John. 2012. Phone interview, March 13.
Stripling, Jack. 2012. “Penn State Trustees Were Blind to Risk, Just Like Many Boards.”
Chronicle of Higher Education, July 12. Available at http://chronicle.com/article/Penn-
State-Trustees-Were-Blind/132943/.
Tertiary Education Quality Standards Agency. 2013. Available at www.teqsa.gov.au/
Tufano, Peter. 2011. “Managing Risk in Higher Education.” Forum Futures. Available at
http://net.educause.edu/ir/library/pdf/ff1109s .
University Risk Management and Insurance Association. 2007. “ERM in Higher Education.”
Available at www.urmia.org/library/docs/reports/URMIA_ERM_White_Paper .
Whitfield, R. N. 2003. “Managing Institutional Risks: A Framework.” Doctoral dissertation.
Retrieved from ProQuest Dissertation and Theses database, AAT 3089860.
Willson, C., R. Negoi, and A. Bhatnagar. 2010. “University Risk Management.” Internal Audi-
tor 67:4, 65–68.
Wilson, Richard. 2013. “Managing Risk.” Inside Higher Education, May 20. Available at
www.insidehighered.com/blogs/alma-mater/managing-risk.
ABOUT THE CONTRIBUTOR
Anne E. Lundquist has had 20 years of increasing administrative responsibilities in
higher education, having served as the dean of students at four liberal arts colleges.
She received a BA in religious studies from Albion College and an MFA in creative
writing from Western Michigan University. Currently, she is a PhD candidate in
the Educational Leadership program at Western Michigan University with a con-
centration in higher education administration, where she works with the vice pres-
ident of student affairs on student affairs assessment and strategic planning and
with the internal auditor and University Strategic Planning Committee on ERM
implementation. Her dissertation research study is titled “Enterprise Risk Man-
agement (ERM) in Colleges and Universities: Administration Processes Regarding
www.it-ebooks.info

www.insidehighered.com/news/2013/07/23/report-shows-how-rutgers-botched-handling-former-coach-reiterates-5-year-old

www.insidehighered.com/news/2013/07/23/report-shows-how-rutgers-botched-handling-former-coach-reiterates-5-year-old

http://www.insidehighered.com/news/2013/07/23/report-shows-how-rutgers-botched-handling-former-coach-reiterates-5-year-old

http://www.insidehighered.com/news/2013/07/23/report-shows-how-rutgers-botched-handling-former-coach-reiterates-5-year-old

http://www.universitybusiness.com/article/manageable-risk

http://www.universitybusiness.com/article/manageable-risk

http://www.ucop.edu/riskmgt/erm/documents/agb_nacubo_hied

http://www.ucop.edu/riskmgt/erm/documents/agb_nacubo_hied

http://chronicle.com/article/Penn-State-Trustees-Were-Blind/132943/

http://chronicle.com/article/Penn-State-Trustees-Were-Blind/132943/

http://chronicle.com/article/Penn-State-Trustees-Were-Blind/132943/

http://chronicle.com/article/Penn-State-Trustees-Were-Blind/132943/

www.teqsa.gov.au/

http://www.teqsa.gov.au/

http://net.educause.edu/ir/library/pdf/ff1109s

http://net.educause.edu/ir/library/pdf/ff1109s

www.urmia.org/library/docs/reports/URMIA_ERM_White_Paper

http://www.urmia.org/library/docs/reports/URMIA_ERM_White_Paper

www.insidehighered.com/blogs/alma-mater/managing-risk

http://www.insidehighered.com/blogs/alma-mater/managing-risk

http://www.grantthornton.com/staticfiles/GTCom/Not-for-profit%20organizations/On%20Course/On%20Course%20-%20Jan%2011%20-%20FINAL

http://www.grantthornton.com/staticfiles/GTCom/Not-for-profit%20organizations/On%20Course/On%20Course%20-%20Jan%2011%20-%20FINAL

http://www.it-ebooks.info/

178 Implementing Enterprise Risk Management
the Adoption, Implementation and Integration of ERM.” Using her expertise in
several areas, she has presented and been the author of articles on risk manage-
ment, institutional liability, students with psychiatric disabilities, assessment and
strategic planning, intercultural competence, and the development and implemen-
tation of integrated community standards/restorative justice judicial models. She
is the coauthor of The Student Affairs Handbook: Translating Legal Principles into Effec-
tive Policies (LRP Publications, 2007). She has had three recent risk management
publications in peer-reviewed journals: URMIA Journal (2011, 2012) and New Direc-
tions for Higher Education, Special Issue, Disability and Higher Education (with Allan
Shackelford, July 2011).
Special thanks to Andrew Faris, Enterprise Risk Management Analyst at the
University of Washington, for sharing information about the university’s ERM pro-
cess, answering questions, and providing material for the case study.
www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 10
Developing Accountability
in Risk Management
The British Columbia Lottery Corporation
Case Study
JACQUETTA C. M. GOY
Director of Risk Management Services, Thompson Rivers University, Canada and
Former Senior Manager, Risk Advisory Services, British Columbia Lottery
Corporation
This case study describes how enterprise risk management (ERM) has devel-oped over the past 10 years at British Columbia Lottery Corporation (BCLC),a Canadian crown corporation offering lottery, casino, and online gam-
bling. BCLC’s enterprise risk management program has been developed over time
through a combination of internal experiential learning and the application of spe-
cialist advice. The program’s success has been due to the dedication of a number
of key individuals, the support of senior leadership, and the participation of BCLC
employees.
The approach to ERM has evolved from informal conversations supported by
an external assessment, through a period of high-level corporate focus supported
by a dedicated group of champions using voting technology, to an embedded
approach, where risk assessment is incorporated into both operational practice and
planning for the future using a variety of approaches depending on the context.
BACKGROUND
BCLC is a crown corporation operating in British Columbia (BC), Canada. The
corporation was established by act of the British Columbia legislature in 1985.
As a commercial crown corporation, BCLC is wholly owned by the province but
operates at arm’s length from government, enjoying operational autonomy while
reporting to the minister responsible for gaming, currently the Finance Minister.
All profits generated by BCLC go directly to the provincial government. The
initial remit of the corporation was to operate the lottery schemes previously
administered for British Columbia by the Western Canada Lottery Corporation. In
1997, BCLC was given responsibility to conduct and manage slot machines, and in
1998 the corporation’s remit broadened again with additional responsibilities for
179
www.it-ebooks.info

http://www.it-ebooks.info/

180 Implementing Enterprise Risk Management
table games in casinos. In 2004 an online service, PlayNow (www.playnow.com),
was launched.
BCLC has been a highly successful organization for over 28 years, delivering
over $15.7 billion in net income to the province of British Columbia. Through April
2012 to March 2013 more than $1 billion in gambling proceeds helped fund health
care, education, and community programs in British Columbia (BCLC Annual Ser-
vice Plan Report 2012/2013). BCLC operates the provincial lottery and instant
games and provides national lottery games through the Interprovincial Lottery
Corporation. Across the province, BCLC manages 17 casinos (15 casinos plus two
casinos at racetracks), 19 community gaming centers, and six bingo halls through
a number of private-sector service providers. PlayNow, BCLC’s legal online gam-
bling website, offers lottery, sports, bingo, slot, and table games, including online
poker. BCLC employs about 850 corporate staff with more than 37,000 direct and
indirect workers employed in British Columbia in gambling operations, govern-
ment agencies, charities, and support services.
BCLC’s mandate is to “conduct and manage gambling in a socially responsi-
ble manner for the benefit of British Columbians” with a vision that “gambling
is widely embraced as exceptional entertainment through innovation in design,
technology, social responsibility, and customer understanding.” The organization
holds the following values as key to its success:
� Integrity: The games we offer and the ways we conduct business are fair,
honest, and trustworthy.
� Social Responsibility: Everything we do is done with consideration of its
impact on and for the people and communities of British Columbia.
� Respect: We value and respect our players, service providers, and each
other.
BCLC believes that playing fairly is a serious responsibility and an empower-
ing opportunity. A commitment to social, economic, and environmental respon-
sibility is central to everything the organization undertakes, and is reflected in
the BCLC slogan, “Playing it right.” BCLC strives to create outstanding gambling
experiences with games evolving with the player’s idea of excitement. For BCLC,
playing is not all about winning; it’s about entertainment.
THE BEGINNINGS OF THE RISK
MANAGEMENT JOURNEY
BCLC began its enterprise risk management journey in 2003 with the initiation
of an Enterprise-wide Risk & Opportunity Management (EROM) initiative. The
impetus for the initiative was twofold—the 2002 inclusion of risk management in
the British Columbia Treasury Board’s Core Policy and Procedures Manual and
BCLC’s head of Audit Services championing the need for enterprise risk manage-
ment (ERM).
As a first step, an external consulting firm was contracted to undertake an
enterprise-wide risk assessment and to support the Internal Audit team in devel-
oping the skills and resources to manage the new ERM program. Interviews and
facilitated workshops at management and executive levels were conducted, a risk
www.it-ebooks.info

www.playnow.com

http://www.playnow.com

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 181
dictionary was constructed, and the highest risks were identified. The assessment
focused on inherent risk compared with an evaluation of management effective-
ness to produce a gap analysis, and there was also a discussion around risk toler-
ance. A final report was produced (Deloitte and Touche 2003), and advice was also
provided on potential next steps for the program.
Although the EROM initiative was well received, financial constraints put a
hold on the subsequent business case. As a result, the plan to take the program
forward through the appointment of a dedicated risk manager and funding for
training of a number of risk champions was not implemented at that time.
LEARNING FROM THE FIRST ERM INITIATIVE
The initial assessment provided a strong starting point for the BCLC ERM pro-
gram, but even though the engagement was originally intended to be the first
part of a longer-term initiative, there was insufficient impetus to put the pro-
gram into operation in the face of competing priorities. This is not an unusual
outcome, as although using a consultant to kick-start programs can leverage expe-
rience and expertise that organizations may not otherwise have access to, using an
external party contracted for a defined period of time can also lead to a project
type approach, where the focus is more on getting the risk assessment com-
pleted and less on longer-term implementation. In addition, it may be easier to
source short-term consultancy fees than it is to obtain longer-term resourcing
commitments.
Another issue can arise where consultants bring in defined methodologies that
do not easily fit with the organization’s normal approach to decision making or
where participants do not understand the underlying process, and so do not fully
endorse and own the outcome. To overcome this issue, the consultants worked
closely with the BCLC Internal Audit team with part of the stated purpose of the
engagement being to build risk management expertise within BCLC.
RESTARTING THE PROGRAM–2006–2008
In early 2006, the head of Audit Services’ proposal to update the 2003 risk assess-
ment was endorsed by BCLC’s executive team. Audit Services facilitated an assess-
ment of critical strategic and operational risks facing BCLC, by developing a set
of risks for analysis through consultation with the executive team, preparing an
environmental scan, and concluding with a facilitated risk workshop to evaluate
and prioritize each risk. The initiative was strongly informed by the successful
ERM program being run at that time by another Canadian lottery organization,
the Atlantic Lottery Corporation.
The intended outcome of the 2006 assessment was to inform the three-year-old
audit plan, to develop new risk criteria, and to raise awareness about the impor-
tance of risk management. The success of the exercise led to the development and
acceptance of a business case in August 2006 to resource a part-time risk man-
ager, responsible for putting into operation the risk management program. This
approach was endorsed by the CEO as part of an organization-wide initiative to
develop and embed a high-performance culture across BCLC.
www.it-ebooks.info

http://www.it-ebooks.info/

182 Implementing Enterprise Risk Management
Board of Directors
via Audit Committee
Executive
Executive
Sponsor
ERM Advisory Team
Enterprise Risk
Manager
Audit Services
Exhibit 10.1 2006 ERM Organizational Structure
Leadership for the initiative was assigned to an executive sponsor. In the first
instance, this was the chief information officer.
A cross-functional leadership team model was also approved, to be known as
the ERM Advisory Team, responsible for oversight and approval of recommenda-
tions on behalf of the Executive Committee and consisting of the executive spon-
sor and a small number of key directors from each BCLC division. Operational
support was provided by Internal Audit. The organizational structure is shown in
Exhibit 10.1.
It is not entirely clear why the 2006 risk assessment exercise led to support
for an ongoing ERM program while the 2003 initiative did not. The head of Inter-
nal Audit championed both initiatives, and the earlier risk assessment activity was
well received. The consultants reporting in 2003 stated that “the culture in BCLC is
proactive and is ideally suited to the EROM’s philosophy and benefits.” Executive
response to both initiatives was largely positive. There does not appear to have
been a so-called burning platform created in 2006; it was more a growing recogni-
tion that the time was right to adopt a more formal approach to ERM. It may be that
increasing recognition of the importance of managing risk across North America
with the introduction of Sarbanes-Oxley requirements1 and publication of COSO’s
ERM Integrated Framework in 2004 influenced senior management. Or it could be
that the simple iterative approach adopted by the head of Internal Audit when he
decided to update the 2003 risk assessment—”Start slow and at the top, get learn-
ing and feedback, and then take down the ladder”—demystified the concept and
increased engagement. Regardless, 2006 marked a new start for ERM, and the gen-
esis of the current BCLC program.
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 183
KEY STEPS IN THE DEVELOPMENT OF THE
ERM PROGRAM
For the second risk assessment, a streamlined process was adopted. Rather than
starting with the risk statements from the dictionary, each VP was simply asked to
identify their top three strategic and operational risks, with the results analyzed,
combined, and allocated into the 2006 categories.
The resulting 37 risks were brought to two executive-level workshops and,
as with the 2003 assessment, voting technology was used for prioritization. Nine
critical risks were identified and taken forward to be integrated into the audit
plan. One key difference from the 2003 assessment was the development of
BCLC-specific likelihood and consequence qualitative criteria. Of interest is the
correlation between the two assessments, with only two critical risks identified
in 2003 not appearing in the critical zone in 2006, and no new critical risks
introduced.
With the appointment of a dedicated Enterprise Risk Manager and the support
of an executive sponsor, the launch of a formal ERM program became possible. The
senior auditor from the Internal Audit team moved to the new position, bringing
continuity with previous ERM initiatives. Between August and December 2006, the
focus was on developing the core risk documentation, including terms of reference
for the new steering group, an ERM policy, a project charter, and an initial plan.
The initial areas of focus were to:
� Develop and continuously refine a practical ERM framework to support the
identification and management of risk.
� Continuously manage risks, limiting exposure to an acceptable level while
maximizing business opportunities.
� Embed a risk awareness that is a key component of instilling a high-
performance culture.
A key feature of the new approach to ERM was the formation of the ERM Advi-
sory Committee (known as ERMAC). The concept of ERMAC was to create risk
champions, high-performing senior leaders from each division whose role would
be to influence, communicate, and educate management and staff within their busi-
ness areas about the benefits of risk management.
By January 2007, the new committee was established and the ERM policies
and plan were in place, with proposals to embed risk management into project
planning, business cases, and strategic planning under discussion.
In May 2007 a critical report about BCLC was issued by the British Columbia
Ombudsman following an investigation into BCLC’s prize payout processes
(BC Ombudsman 2007). The investigation was triggered by a CBC Fifth Estate
investigation2 in October 2006 on issues in Ontario associated with lottery retail-
ers winning major prizes, with the concern being that similar issues could have
occurred in British Columbia. Although no incidents of wrongdoing were discov-
ered during the investigation, the report and a subsequent audit and recommen-
dations published by Deloitte & Touche in October 2007 marked a critical point in
BCLC’s transformation into a modern player-centric organization.
www.it-ebooks.info

http://www.it-ebooks.info/

184 Implementing Enterprise Risk Management
For risk management, the Ombudsman’s review led to both a greater impe-
tus and a broader focus for the program. BCLC had always considered integrity
to be vital to the organization, but the fundamental goal of delivering revenue to
government was often the dominant concern, and this was reflected in earlier risk
assessments. With the advent of the Player First program,3 significant additional
resources and oversight were now dedicated to security, compliance, and reputa-
tion management, and this increased emphasis was reflected in the risk assessment
conducted by the ERMAC team in April 2007.
The basis of the assessment was the risk statements completed by the Executive
Committee in 2006, with new key risks facing BCLC added through consultation
with key members of each of the business/support units and incorporated into an
expanded risk dictionary. Once the new risk statement descriptions were agreed
on, workshops were held to assess the risk ratings, and also to determine how
effective were current arrangements for managing each risk. The 12 risks with the
largest gaps identified between risk rating and management effectiveness were
then selected for further profiling and control analysis.
Throughout 2007, the remaining enterprise risks were profiled in order to bet-
ter identify the associated causes and controls. Two further enterprise risk assess-
ments were facilitated in 2008, and a regular quarterly risk report produced from
June 2008 forward provided details of both the development of the overall program
and monitoring of individual risks.
Parallel to the enterprise risk assessment, a project risk assessment approach
was developed and implemented, with a number of initiatives used to facilitate
risk assessments, very similar to those conducted at an enterprise level. As with
the enterprise risk assessments, the risk dictionary was used to support the devel-
opment of potential risk statements, which were then voted on at a facilitated
meeting of the core project team. Project risk assessments were piloted with
four projects in 2007, and further developed with seven project risk assessments
facilitated in 2008. Although the workshops were generally felt to be productive
and beneficial, the volume of risks generated meant that on occasion it was not
possible to assess all the risks presented.
In May 2008, the Enterprise Risk Manager was appointed director of Audit
Services. Although risk assessments continued to be supported by the Internal
Audit team, the further development of enterprise risk management was con-
strained due to the lack of dedicated resources, as the ERM manager post was not
immediately filled.
REVITALIZING THE ERM PROGRAM—2009–2010
In the fall of 2008 the position of Manager, Risk Planning and Mitigation was
created and an experienced risk manager was recruited to the position in late
December 2008. The original intention of the appointment was to increase focus on
risk treatment strategies and business-unit-level risk management activities, with
the expectation that Internal Audit would continue to develop and report on the
enterprise risk management framework. In late January 2009, the director of Audit
Services left BCLC and the manager of Risk Planning and Mitigation assumed
responsibility for managing all aspects of the ERM program.
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 185
The new risk manager brought a more operational approach, and was able
to build on the excellent foundations already established to develop a new ERM
strategy and supporting plan designed to move the ERM program to the next stage
of maturity.
Throughout 2009, BCLC transitioned from the previous approach, where a
portfolio of enterprise risk statements was assessed at a corporate level by ERMAC
members, to a specific risk register with risks evaluated and agreed on at a divi-
sional level and significant risks then escalated to the enterprise register.
One of the first changes was to move from an assessment of inherent risk with
a supplementary assessment as to whether the risk was thought to be managed
effectively to the use of a residual risk assessment methodology that included a
more formal assessment of the effectiveness of control mechanisms in place. The
next enterprise risk assessment was conducted in March 2009, and moved from
the ERMAC voting approach to assessments by individual risk owners, with the
committee providing more of a quality assurance function. New risk criteria were
also adopted. A significant outcome was that the majority of risks were rated at
a lower impact/consequence level (18 out of 29 dropping at least one rating, and
three falling from critical to low risk).
Between March and July 2009, a series of risk and controls assessments work-
shops were held covering all divisions. The workshops brought together either
functional teams or collections of specialists in thematic sessions (for example,
marketing). Close to 300 managers and staff were involved. Each group attended
two workshops; the first featured an educational component, brainstorming
exercises, and process mapping with threats and vulnerabilities identification,
while the follow-up session looked at a number of prioritized areas of risk in
more detail, with a deep-dive assessment of risks and controls. The output of
the workshops was the creation of divisional risk registers. Enterprise-level risks
were then extracted from the divisional registers for an organization-wide view
of all significant risks.
By September 2009, risk registers were established for all divisions. The new
registers were more comprehensive than the previous risk documentation, with a
greater focus on risk treatment and specific individuals identified as responsible
for each risk treatment plan. The risk management policy was updated and new
supporting guidance published.
Through 2009 and 2010, the risk management approach was further developed
and embedded. In particular, the use of risk management in business case develop-
ment and project management increased, while the new registers were updated on
a quarterly basis. Regular quarterly reports on the risk management program were
produced for discussion by the Executive Committee and at the Audit Committee.
In the summer of 2010, the risk management policy and guidelines were
updated and a new risk management strategy was produced to reflect the
newly published international standard on risk management, ISO 31000:2009, Risk
Management—Principles and Guidelines. BCLC had previously been using the
Australian risk management standard (AS/NZS 4360:2004), so the move to the
new standard was a simple transition. At the same time, the government of British
Columbia endorsed the new standard across all ministries, and subsequently used
the approach for a number of provincially coordinated risk management activities
(for example, planning for the 2010 Winter Olympics and preparing for a potential
www.it-ebooks.info

http://www.it-ebooks.info/

186 Implementing Enterprise Risk Management
pandemic). The policy stated: “BCLC is committed to building increased aware-
ness and a shared responsibility for risk management at all levels of the organiza-
tion, and to facilitate the integration of the management and prioritization of risks
into planning and operational activities.”
The terms of reference for the ERMAC were also updated (see Exhibit 10.2),
reflecting the change in practice from a single central risk assessment to the more
devolved approach now in place.
Exhibit 10.2 Terms of Reference for the Enterprise Risk Management
Advisory Committee
January 2007–March 2010 March 2010–March 2011
C. Terms of Reference C. Terms of Reference
ERM Advisory Committee (“ERMAC”) ERM Advisory Committee (“ERMAC”)
The ERMAC is an operational committee
promoted and supported by the
Executive to oversee the risk
management process of the BCLC. The
ERMAC reports to the Executive
Sponsor. The ERMAC will:
The ERM Advisory Committee is tasked by
the Executive to support the
implementation of risk management
across BCLC. The committee will:
Approve a suitable risk management
mandate, terms of reference, and policy
for BCLC, for endorsement by the
Executive
Approve and oversee the implementation
of a flexible, adaptable Risk Management
process of BCLC as a whole, on behalf of
Executive
Recommend an appropriate risk appetite or
level of exposure for BCLC to the
Executive
Identify and quantify fundamental risks
affecting BCLC, and ensure that
arrangements are in place to manage
those risks
At least annually, review fundamental risks
and their controls and report to Executive
Inform the Audit Committee on risks and
controls that should be included in the
Audit needs assessment, ensuring the
integration of Audit Services into risk
management
Ensure that critical risks are adequately
dealt with
Help embed a risk management culture
into all major decisions, through risk
education, high-level controls, and
procedures
Consider major decisions affecting BCLC’s
risk profile or exposure
Appraise, revise, and monitor the annual
risk management program;
Review any changes to the Risk
Management Policy prior to submission
for approval by the Executive;
Consider and approve procedures and
guidance to support the risk
management policy and process;
Review the effectiveness of risk
management processes used across
BCLC;
Help embed a risk management culture
across the organization;
Support the development of a risk
management awareness and education
program; and
Provide support for the Divisional Risk
Representatives, through encouraging
sharing experience and enabling frank
discussion of any risk-related issues
arising.
From time to time the committee may also
focus on a particular area of risk.
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 187
STRENGTHENING THE PROGRAM—2010–2013
In 2010, it was agreed that Internal Audit should conduct a review of the risk
management program with a view to “identify any gaps and areas for improve-
ment to ensure that the fundamental building blocks are in place to deliver on the
organization’s risk management needs effectively and efficiently.” Interviews were
conducted with Enterprise Risk Management Advisory Committee members, the
executive team, CEO, and board and Audit Committee members.
The review found that the ERM process was well established and documented,
with strong levels of support from all levels of the organization and an increasingly
risk-conscious culture. However, risk management was not yet fully embedded
within all of the organization’s functions. There was some variance in perceptions
of risk tolerance, and in general the program was stronger on reporting risks than
it was at driving change, with significant amounts of informal risk-related discus-
sions taking place outside of the program. Senior management also reported that
too many risks were escalated to them, often at a level that was perceived to be too
granular or operational.
In addition to the internal review, BCLC took part in a benchmarking exercise
conducted by Ernst & Young together with seven other Canadian lottery and gam-
ing organizations. The exercise consisted of a questionnaire completed by key risk
personnel at each organization facilitated by telephone interviews conducted by
the E&Y team.
The results (Ernst & Young 2010) showed that BCLC was in a similar position
to many of the other gaming organizations in having a relatively young ERM pro-
gram. In common with much of the gaming industry at the time, BCLC’s strongest
area was risk assessment, while risk tracking and the ERM structure were rela-
tively weak (see Exhibit 10.3). The exercise included a simple self-assessment of
perceived ERM maturity, where BCLC assessed itself as having risk activities in
Culture and
Communication
5
4
3
2
1
A B C D E F G H
Risk
Tracking
Assessed ERM maturityPerceived ERM maturity
Structure
Risk
Assessment
Action Plans
Link to
Strategy
Level 3—In place: risk management activities are established,
yet not consistently applied or fully understood by management
and relevant employees in key functions/business areas.
Exhibit 10.3 ERM Maturity at BCLC in 2010
Extracted from Ernst & Young ERM Benchmarking Survey, 2010.
www.it-ebooks.info

http://www.it-ebooks.info/

188 Implementing Enterprise Risk Management
place, but that risk management was not yet consistently applied and well under-
stood by management and employees across the organization.
The results of the internal review and the E&Y assessment were presented to
BCLC’s executive team in February 2011. A number of recommendations were pro-
posed and adopted, including strengthening senior management ownership and
accountability, realigning risk criteria to better match the BCLC’s tolerance for risk
across organizational objectives, and broadening the focus of the program from
largely operational to a more strategic level.
In April 2011, the risk management function moved to the Finance and Cor-
porate Services division, with the CFO taking responsibility for executive leader-
ship of the program. The risk criteria and evaluation matrix were updated and the
risk review process strengthened, establishing regular review meetings for every
division whereby each division’s senior management team reported to their vice
president (VP) on their risks every quarter. Risk oversight was also reviewed, and
in addition to strengthening processes at a divisional level, dedicated time at exec-
utive meetings was scheduled to review the quarterly risk report prior to presen-
tation to the Audit Committee. A key step in increasing accountability came from
the formal assignment of each area of high risk to the appropriate VP, who would
be responsible for reporting each risk in detail and providing a regular update on
progress with the agreed treatment plans.
At this time, the ERM Advisory Committee was disbanded. While the commit-
tee of risk champions had played a significant role in coordinating initial assess-
ment activities and in increasing the understanding of risk management across the
organization in the early years of the risk management program, it was now felt
that as all directors were expected to be fully conversant with risk management
and with the movement of risk identification, evaluation, and reporting into main-
stream management, the group no longer added significant value.
A new Risk Management Planning Group reporting to the CFO was estab-
lished to align and coordinate a number of risk and compliance activities, in par-
ticular looking for synergies between the risk, business continuity, insurance, and
antifraud programs. The intention of the group was to assist in the design of tools
and approaches that deliver progress across the programs and also reduce man-
agerial overload from potentially competing programs.
Over the next year, a series of risk reviews were undertaken with each divi-
sion, with the aim to refresh the divisional registers and to make sure that each
group reviewed both current and potential risks against both BCLC and divisional
strategies. The format of the reviews varied across groups, dependent on divisional
responsiveness and parallel activities. Several workshops were held with broader
management teams, two were jointly coordinated with Internal Audit exercises,
and one was externally facilitated. The review process further increased ownership
and accountability by reinforcing the message that risk management and reporting
are the responsibility of everyone throughout the organization.
In early 2012 BCLC invited an external consulting firm to look again at its
ERM program, consider the progress made since the work in 2003, and make
some recommendations as to next steps. In April 2012, the consultants delivered a
presentation to the board on “Moving from a Risk Monitoring Organization to a
Risk Intelligent Organization,” and facilitated a discussion on risk governance and
oversight. It was agreed to move risk oversight from the Audit Committee to the
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 189
full board, to include more formal consideration of risk in the strategic planning
process, and to continue to improve risk management processes, practices, and
awareness.
In the winter of 2012 an opportunity arose to embed ERM into strategic plan-
ning when an exercise to identify and assess strategic risks was undertaken. The
aim of this exercise was to identify and prioritize a set of holistic enterprise-level
longer-term risks in order to inform strategic planning alongside a program of opti-
mization. An off-site workshop was led by the CEO and the executive team with
additional input from a small group of directors known as the leadership team, and
supported by risk, corporate strategy, and audit services. Facilitation was provided
by an external party. During the workshop, political, regulatory, economic, com-
petitive, technology, and social business environmental factors were considered,
and after a lively and informed discussion 11 key strategic risks were identified
and initial sponsors assigned.
Following the workshop, a series of meetings were held with the assigned VP
leads and other relevant parties, facilitated by the Senior Manager, Risk Advi-
sory to discuss each risk in greater detail and using a bow tie approach,4 identi-
fying key causes, consequences, controls, and planned treatments. A formal report
was developed, and a strategic risk register is now in place. Going forward, the
strategic risks will be used to inform strategic planning and business optimization,
while the shorter-term, more operationally focused risks continue to be reflected
and addressed in business planning at an enterprise, divisional, and initiative
level.
BUILDING THE RISK PROFILE
One of the first steps often taken by many organizations in developing enter-
prise risk management is to identify the risks that the organization faces, although
ISO 31000 recommends that the risk framework is established prior to this step and
that the context is established prior to risk identification. For BCLC’s first risk iden-
tification exercise, the context was provided by the consultancy team in the form
of a risk dictionary or universe. The idea behind the risk universe concept is that
all potential risks can be identified and classified into definitive categories, which
can then be used as a generic tool to identify risk within and across organizations
in a consistent manner.
The universe used for the initial BCLC risk assessment contained 70 generic
descriptions of risks, which were adapted after consultation to fit the BCLC
environment more accurately. The resulting 2003 BCLC risk universe included
59 potential risks divided into external and internal categories with strategic, oper-
ations, technology, financial, and organizational health subcategories, and can be
seen in Exhibit 10.4. Each risk was given both a two- or three-word title and a short
high-level description.
Some risk practitioners consider that the development and use of a risk uni-
verse or defined classification system is essential in any enterprise risk manage-
ment program (Society of Actuaries 2009, 2010). However, to be effective there
must be clear rules to support consistent classification, and each set of risks must
consist of like items that are relevant to management decision making.
www.it-ebooks.info

http://www.it-ebooks.info/

190 Implementing Enterprise Risk Management
Exhibit 10.4 The 2003 BCLC Risk Universe
External Risks
Competitor
Catastrophic Loss
Financial Markets
Legal
Regulatory
Player Demands &
Satisfaction
Economic, Political &
Societal Change
Industry
Technological
Innovation
Internal Risks
Strategic
Environmental Scan
External Relations
Business Portfolio
Performance
Measurement
Mergers & Acquisitions
Alignment
Organizational Structure
Business Model
Culture
Governance
Strategic Alliance
Operations
Capacity
Fraud
Communication
Extended Enterprise
Vendor Management
Health & Safety
Change Management
Environmental
Compliance
Customer Satisfaction
Brand Name
Reputation
Pricing
Product Development
Safeguarding of Assets
Business Interruption
Supply Chain
Product/Service Failure
Knowledge
Management
Project Planning
Performance Gap
Gaming Integrity
Organizational Health Technology Financial
Recruitment
Training & Development
Employee Satisfaction
Access, Security, & Tech.
Integrity
Information Availability
Technology
Infrastructure
Credit
Market
Liquidity
Ethics & Values
Accountability &
Responsibility
Leadership
Retention, Recruitment,
& Succession Planning
Budget & Planning
Valuation
Capital Acquisition &
Management
Financial & Management
Reporting
One common issue is that the list of risk statements may contain a mix of risk
events, root causes, and outcomes, leading to imprecision and confusion, which
may make assessing the level of risk or determining appropriate treatment more
difficult. Another issue is that risk statements may be expressed in very generic
terms that may not easily apply to the organization in question, or may make con-
tributors feel that the risk assessment exercise is academic and not directly related
to their day-to-day experiences.
The 2003 BCCL risk dictionary exhibited both of these issues, as can be shown
in Exhibit 10.5.
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 191
Exhibit 10.5 Analysis of Sample Statements from the 2003 BCLC Risk Dictionary
Example Statement Type Issue
Catastrophic loss risk—A major
disaster threatens BCLC’s
ability to sustain its operations
and minimize financial losses.
Outcome The outcome could arise from a
variety of different
circumstances, making risk
response problematic.
Governance risk—BCLC does
not have the appropriate
governance practices in
place.
Cause It is unclear why practices might
be a cause for concern, making
assessing the level of risk
difficult.
Health and safety risk—Failure
to provide a safe working
environment for its workers
exposes the organization to
compensation liabilities, loss
of business reputation, and
other costs.
Risk This is a clear problem and
outcome statement but is
expressed generically, which
may mean that there is a poor
fit to the organization.
The intention behind the development of the risk dictionary was to provide
common categorizations for specific risks identified across BCLC, and it was used
effectively at a business unit level both to stimulate conversation and to identify
specific risks, which were then translated to draft risk registers. At the enterprise
level, the high-level statements were used for evaluation, and specific risk state-
ments were not created.
The BCLC risk dictionary was reviewed, updated, and expanded in 2007 fol-
lowing the risk assessment exercise conducted by the Enterprise Risk Manager and
the ERMAC team. One hundred and nine risk statements were captured in the cat-
egories of external, process, strategic, information, human capital, integrity, tech-
nical, and financial.
Through 2007 and 2008, the risk dictionary was used as the basis for assess-
ments at an enterprise level, and the prioritized enterprise risks were then used
to structure project risk assessments and also increasingly to support risk assess-
ments in business cases.
In late 2008, as part of the ongoing development of corporate performance
management, BCLC completed an exercise to implement the balanced scorecard
methodology. This approach greatly assisted the risk management program in tak-
ing a fresh look into the corporate risk profile, and all of the risks were aligned
to the new balanced goals. As a result, the risk dictionary was retired, with new
guidance issued in 2009 recommending that all risk assessments start not from a
predetermined list, but instead by looking at the objectives of the enterprise and,
where relevant, the specific initiative.
The BCLC risk register generally includes around 100 risks across the nine divi-
sions. As spreadsheets are currently used to manage the risk information, a deci-
sion was made to remove green (low) risks where it is determined that the risk level
is stable and provided that there are sufficient monitoring processes embedded
www.it-ebooks.info

http://www.it-ebooks.info/

192 Implementing Enterprise Risk Management
into mainstream management. Each quarter, a small number of new risks are iden-
tified and an equally small number are retired as circumstances change, awareness
increases, and treatment plans come to fruition.
BCLC pays particular emphasis to the construction of clear descriptions for
each risk, with the following guidance provided to all employees:
It is of particular importance that all risks are clearly expressed. BCLC has adopted
a “CCC” approach where all risk statements should include not only the poten-
tial change but also the most significant consequence and cause. Risk statements
should start with wording equivalent to “The risk of/that” or “The opportunity to”
and be expressed as a possibility (using “may” or “might”). Descriptions should
be limited in length and specialized jargon or acronyms should be avoided where
possible, so that anyone reading the risk statement can easily understand the risk.
Care should be taken in order to avoid alarmist language. When recording partic-
ularly sensitive risks, advice should be sought from either Risk Advisory Services
or the Legal Services team.
—BCLC Risk Management Guidelines, 2013
On a regular basis, the Enterprise Risk Manager assesses the full set of risks
and develops thematic risk maps, cascading from organizational goals and relat-
ing to key corporate strategies (the template schematic is shown in Exhibit 10.6).
These maps have been used as a key input to risk review workshops and are
incorporated into quarterly reporting processes. The advantage to this fluid
approach is that the maps are easily modified as organizational focus has evolved;
however, at present production is reliant on the insight and capacity of the
Enterprise Risk Manager. BCLC is currently exploring purchasing a specialist ERM
GOAL
STRATEGY
SPECIFIC RISK
SPECIFIC RISK
HIGH-LEVEL RISK
VISION
HIGH-LEVEL RISK
HIGH-LEVEL RISK
STRATEGY
GOAL
GOAL
HIGH-LEVEL RISK
HIGH-LEVEL RISK
SPECIFIC RISK
SPECIFIC RISKHIGH-LEVEL RISK
Exhibit 10.6 Thematic Risk Map Schematic
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 193
software support solution to more efficiently manage the program. Automated risk
interdependency mapping is a function that the administrators hope to be able to
purchase.
THE ROLE OF RISK MANAGERS, CHAMPIONS,
AND COMMITTEES
BCLC’s risk management program would not have been possible without the two
risk managers, the ERMAC group and its champions, and the initial drive from the
head of Internal Audit to implement ERM. Although most risk managers will state
that the most important prerequisite for a successful risk management program is
active endorsement by senior management, the provision of operational manage-
rial resources is also essential. At BCLC, as with most organizations, the greatest
progress has been made when there has been a designated risk manager assigned
to the ERM program.
The role of the central risk function at BCLC, Risk Advisory Services, has not
been to manage any specific risks, but rather to provide expert facilitation, coordi-
nation, and advice to management. The accountability for individual risks remains
with the manager responsible for the program where the risk originates.
The two managers who have supported the ERM program came from very
different backgrounds and brought different approaches to the program. Initially
the program was initiated within Internal Audit and the first risk manager brought
both extensive internal audit experience and, as an internal appointment, an under-
standing of BCLC’s culture and approach. The second risk manager came with a
more operationally focused risk management background and from a very differ-
ent sector. Enterprise risk management is a developing discipline, and practition-
ers come from a wide variety of backgrounds (including finance, audit, health and
safety, quality assurance, engineering, insurance, etc.), each with their own slightly
different approach. Where risk management programs are supported by a single
individual, change in personnel can be an opportunity to revitalize programs but
also has the potential for discontinuity.
During the initial establishment of the program in 2007–2008, the active
engagement of the ERMAC group of risk champions supported adoption of risk
management across BCLC, bringing their knowledge and enthusiasm to both the
enterprise risk assessments and the development of the program as a whole.
Risk champions are frequently advocated as a way to embed risk management
into functional areas through their existing personal and professional relation-
ships, and also as a group with diverse backgrounds and operational experience
to assist with articulating a more holistic enterprise-level view of risk. However,
there are some issues with the concept:
� Those selected may be the usual suspects—individuals who are chosen for
every initiative either because they are felt to be particularly capable, in
which case they may be overly stretched, or conversely because they are
underutilized at present, leading to the possibility that they may not have
the required influence to be effective.
www.it-ebooks.info

http://www.it-ebooks.info/

194 Implementing Enterprise Risk Management
� There may be a perception that the champion is responsible for risks in
his or her division or functional area, even though other individuals hold
the appropriate managerial or oversight role. This issue may lead to risks
being identified but not effectively managed with formal treatment plans,
and potentially to difficulties with monitoring and follow-up. Over time,
champions may feel that they are put in a difficult position, or may become
frustrated that their concerns are not taken forward and acted upon.
During the establishment of the ERM program, the role of the champions on
the ERM Advisory Committee was clear, but as the program progressed, and in
particular following the changes in 2009, the mandate became less clear and mem-
bers began to feel a degree of frustration. The 2010 Internal Audit ERM review
picked up on these concerns, and a new model was proposed that led to the dis-
banding of the committee in 2011.
The new model recognized the high level of engagement of senior manage-
ment across BCLC and the more dynamic role of the Executive and the board,
and also picked up on the developing concept of linking governance, risk, and
compliance (GRC) matters into an integrated approach. The previous mandates
of both ERMAC and a compliance committee that BCLC had established in early
2010 were brought together into the new Risk Management Planning Group (see
Exhibit 10.7). This group consists of the leads from key BCLC programs, such as
business planning, portfolio management, business continuity, enterprise architec-
ture, internal audit, and policy management, with the primary role to share knowl-
edge and improve coordination across the functions.
Early accomplishments for the group included the development and adoption
of a shared lexicon of key risk management terms, and a jointly developed compli-
ance management proposal and business case. Currently, the group is focused on
developing a broad-based GRC-type dashboard, which will bring together infor-
mation about the status of risks, audits, policies, regulations, performance indica-
tors, incidents, and issues at a divisional level.
Project Steering
Group Meetings
Board of
Directors
Risk Management
Planning Group
Project
Management
Coordination
Internal
Audit
Support the Risk
Management Program
Review Risks and
Treatment Plans
Undertake Risk
Management Activity
Divisional Risk
Review Meetings
Divisional
Management
Provides advice
and verification
Oversees the program and
leads risk reviews
Determines
strategy
Executive Monitors significant risks, treatment
plans, and compliance issues
D
IR
E
C
T
IO
N
R
E
P
O
R
T
IN
G
Exhibit 10.7 ERM Governance Structure, 2012–2013
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 195
DEVELOPING A MORE SOPHISTICATED
APPROACH TO RISK ANALYSIS AND EVALUATION
According to ISO 31000, an essential part of developing any risk management
framework is defining the criteria for evaluating risk. Risk criteria are used to
reduce subjectivity and to communicate risk tolerance, and should lead to con-
sistency across different assessments. In common with many nonfinancial organi-
zations, BCLC uses risk tables with qualitative descriptions of a variety of potential
impacts.
Over the past 10 years, a variety of risk tables and evaluation approaches have
been adopted.
When BCLC conducted its initial enterprise risk management exercise in 2003,
generic consequence and likelihood and management effectiveness scales with a 1
to 5 range were provided to BCLC by the consultants. The impact ratings focused
on monetary and service provision consequences, while the likelihood ratings con-
sidered the chance of occurrence over the next three years.
For this initiative, risk workshops were used for the majority of risk analysis,
with risk statements either predetermined or defined in advance using interviews
with key internal stakeholders and then voted on by the Executive Committee, the
ERMAC team, or a specific project team depending on the context. Voting tech-
nology was used at each workshop, with each participant independently rating
each risk. After each vote, the software calculated the average score and derived
an overall risk rating for each risk. Using voting has a number of benefits, princi-
pally allowing a large number of risks to be assessed in a relatively short period of
time. Advocates also claim that voting reduces group bias, as results can be pre-
sented anonymously and any variations can be discussed.
Voters at each facilitated workshop were asked to rate the likelihood that a
particular event would occur in the absence of any controls in place to mitigate the
risk (known as the inherent likelihood). Each risk was then mapped to one of four
categories (see Exhibit 10.8). An additional exercise considered the effectiveness
of current control levels for each risk and also the desired level of control in order
to identify any risks where it was considered that additional levels of control were
required.
The Internal Audit–led exercise in 2006 initially used a very simple scale (high,
moderate, low, and very low) when asking participants to identify/report their
top three risks, and then introduced a new BCLC-specific impact and likelihood
table to assess inherent impact and likelihood, using the same voting and aver-
aging methodology as used in 2003. The new risk criteria considered a range of
potential consequences, from threats to product integrity, to media reports, sales,
stakeholder relations, regulatory noncompliance, and budgetary impact. The new
likelihood ratings included both an assessment of the probability of occurrence
and reference to historical incidence and common root causes and control effec-
tiveness. The risks were again grouped into four categories, as can be seen in
Exhibit 10.9.
The 2007 enterprise assessment developed the risk assessment framework fur-
ther, reflecting the additional resources now available to the ERM program with
the appointment of a dedicated manager and the engagement of the new ERMAC
team. The criteria were revised once more, with metrics developed for each
www.it-ebooks.info

http://www.it-ebooks.info/

196 Implementing Enterprise Risk Management
INHERENT LIKELIHOOD
C
O
N
S
E
Q
U
E
N
C
E
Less significant
Less significant risks. Little
monitoring or effort
required.
Secondary
Are likely to occur but have
a small impact. Consider
the cost/benefit trade-off.
Critical
Critical risks that will have a
significant impact on the
operations and
organizational objectives
are likely to occur.
Primary
Lower likelihood but could
have significant adverse
effect on operations and
business objectives if the
risk occurred.
Exhibit 10.8 2003 Risk Mapping Approach
category of consequence, a cleaner likelihood table with measures of both prob-
ability and frequency, and a new management effectiveness rating table.
Assessment participants were asked to vote on the impact if the risk event
were to occur and the inherent likelihood of that event occurring. As with the
previous assessments, the overall rating assigned to each risk was taken as the
average, giving a score from 1 to 5 for each risk. A further vote was then conducted
Im
pa
ct
Likelihood
Low Risks
List of two risk statements
Moderate Risks
List of five risk statements
Critical Risks
List of nine risk statements
Risks used to inform the
three-year Audit Plan
High Risks
List of 17 risk statements
H
i
g
h
High
Exhibit 10.9 2006 Internal Audit Risk Matrix
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 197
Im
pa
ct
Likelihood
Low Risks
Risks where the management
effectiveness rating is the
same as the inherent risk rating
Moderate Risks
Risk / Opportunity
Risks where the management
effectiveness rating and the inherent
risk rating are only slightly different
(–/+ 0.5)
Critical Risks
Risk
Risks where management
effectiveness is significantly lower
(<1) than inherent risk Opportunity Risks where management effectiveness is significantly higher (>1) than inherent risk
High Risks
Risk
Risks where management
effectiveness is somewhat lower
(<0.5 – 1) than inherent risk Opportunity Risks where management effectiveness is somewhat higher (>0.5 – 1) than inherent risk
H
i
g
h
High
Exhibit 10.10 2008 ERM Residual Risk Rating Matrix
on how effective the ERMAC team considered current controls to be for each risk
(the “current management effectiveness”). The two scores were then compared
and any risks with a high-risk rating and lower management effectiveness rating
were identified as requiring management attention.
The two enterprise risk assessments in 2008 in February and November used a
very similar approach to the 2007 assessment, except that, instead of reporting on
the inherent risk ratings and highlighting any significant gaps between the inher-
ent risk rating and the management effectiveness rating, the management effec-
tiveness metric was used to place each risk in a residual risk matrix, according
to the size of the gap. Where the gap showed that controls were insufficient, this
was termed a risk (better described as intolerable residual risk), and where the
gap showed that controls were excessive, this was classified as an opportunity (to
reduce control levels). The final outcome of the exercise is shown in Exhibit 10.10.
This approach was adopted partly in recognition that BCLC had not always
put in place sufficient controls for the level of risk, but also because there
was a perception that in some areas excessive controls had been implemented,
partly in response to the Ombudsman report and subsequent recommendations
and partly because some areas of the organization were considered to be risk
averse.
From 2009, there was a change in emphasis from primarily inherent to residual
risk assessments. This was partly due to the different approach of the new man-
ager, partly due to difficulties with accurately assessing inherent risk, and partly
www.it-ebooks.info

http://www.it-ebooks.info/

198 Implementing Enterprise Risk Management
because of a new opportunity with the development of new organizational goals.
BCLC had been exploring the concept of balanced scorecards5 as part of devel-
oping a more mature approach to performance management, and in early 2009
new risk criteria were introduced based on the new goals. This reinforced the link
between risk and wider business and strategic planning, and enabled the develop-
ment of a smaller set of risk impact categories that resonated with both manage-
ment and senior leadership. The impact criteria were developed with key man-
agers and validated with the executives, with an annual update incorporated into
the risk management planning timetable.
At this time also BCLC ceased to use the voting technology for a variety of
reasons, including cost and geographical limitations, and moved to an approach
where group workshops prioritized risk but did not undertake formal analysis
or evaluation. A variety of visual mapping techniques were introduced with a
more hands-on style adopted, requiring workshop participants to engage more
directly through the use of techniques such as using Post-its, voting cards, target
placement, assigning spots, and drawing process maps. Formal analysis moved to
the appropriate subject matter expert with quality assurance provided by the risk
manager and then confirmation of risk scoring provided by the relevant member
of the executive or project steering group.
In 2011, as an outcome of the Internal Audit ERM review, it was agreed that
the criteria were not sufficiently aligned with leadership attitudes to risk, and that
too many risks were being reported with a high rating and thus being escalated
in the quarterly report. An exercise was conducted with executives to better align
the existing risk criteria to organizational tolerance, and to discuss the perception
that the organization, or at least some parts of it, was overly risk averse. Perspec-
tive was provided through discussion of the balance between risk aversion and
excessive risk appetite and the use of the “as low as reasonably practical” princi-
ple (sometimes referred to as ALARP or ALARA [as low as reasonably achievable],
and described in ISO 31010).
Two activities were undertaken, each designed to look at the four dimensions
of impact in the ERM framework to ascertain whether current levels were an accu-
rate representation of the attitude of BCLC leadership toward risk, and to initiate
discussion where that attitude varied among the executives.
The first exercise (see Exhibit 10.11) used a poster showing the existing impact
criteria, and each executive was asked to mark where he or she believed the current
catastrophic or level 5 impact should truly fall on the scale. This clearly shows that
the scales in use at the time were generally felt to be misaligned with organizational
risk tolerance, in particular for financial/operations and people impacts.
The second exercise took a small number of existing and well-understood risks,
all currently assessed at a similar risk rating but with impacts across the different
dimensions. Each executive was asked to place the risk where he or she believed
it lay on the current impact table, again displayed as a large poster. Exhibit 10.12
depicts the mapping for two of the risks, showing both the spread of opinion, and
the disparity between the rating at the time and the risk attitude of the executives
both as individuals and collectively.
The exercises were successful in generating discussion about relative risk
tolerances and showed both that the overall evaluation tools were escalating
risk at too low a level and also that the risk criteria across the different impact
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 199
Player
Financial /
Operations
People
Public /
Planet
1 2 3 4 512345
1
2
3
4
5
1
2
3
4
5
Brief description of
level 4 player
criteria
Brief description of
level 2 player
criteria
Brief description
of level 2 people
criteria
Brief description
of level 4 people
criteria
Brief description of
level 2 financial/
operations criteria
Brief description of
level 4 financial/
operations criteria
Brief description of
level 4 public/
planet criteria
Brief description
of level 2 public/
planet criteria
Exhibit 10.11 Impact Scale Evaluation Exercise
dimensions were not completely aligned to the collective executive risk percep-
tion and attitudes.
The impact criteria and the risk evaluation table were adjusted after the exec-
utive meeting, and the new approach adopted for the next risk review in March
2011. As a result of changing the criteria, the number of risks escalated to the exec-
utive declined from 33 to 10, allowing a much greater focus on the most significant
risks, while risks now rated as having a moderate risk level continued to receive
focus at the divisional risk review meetings.
In early 2012, a new risk framework was put in place describing BCLC’s
now maturing approach to enterprise risk management. The framework contained
a section on determining appropriate risk responses, including a formal state-
ment that BCLC had adopted the ALARP approach to determine the appropriate
response to risk. This approach divides risks into three regions or zones:
1. An acceptable region, where further treatment may be undertaken but is
not required
www.it-ebooks.info

http://www.it-ebooks.info/

200 Implementing Enterprise Risk Management
Likelihood
Rare Unlikely Possible Likely Almost Certain
Im
pa
ct
Insignificant 1 2 3 4 5
Minor 2 4 6 8 10
Moderate 3 6 9 12 15
Major 4 8 12 16 20
Catastrophic 5 10 15 20 25
Risk5
Risk5
Risk5Risk5
Risk5Risk5
Risk5Risk5
Risk5 Risk5
Risk8
Risk8
Risk16
Risk2
Risk2Risk8Risk8
Risk8
Risk8
Risk8Risk8
Risk8
Risk8
Risk8
Risk16Risk16Risk16Risk16
Risk16Risk16
Risk16Risk16
Risk2
Risk2
Risk2 Risk2Risk2Risk2Risk2
Risk2
Risk2
Risk16
Risk8 Original rating Risk3 Rating by each VP Risk16 Consensus
Risk5
Risk16
Exhibit 10.12 Specific Risk Impact/Likelihood Evaluation Exercise
2. A tolerable region where treatment should be undertaken dependent on
cost/benefit analysis
3. An unacceptable region where treatment to lower the risk is mandated
Taking an ALARP approach to risk response allows for flexibility when deter-
mining the best approach to managing risk, and reflects that organizations may
on occasion choose to adopt higher-risk strategies where the potential reward is
deemed to be sufficient, or may elect to carry significant risk where the cost of
treatment is felt to be prohibitive.
The relationships between criteria, severity, escalation, and tolerance are set
out in Exhibit 10.13.
The next significant risk assessment and evaluation development was the
expansion of the risk consequence criteria in August 2012 to include positive out-
comes. Consideration of positive outcomes from uncertainty was introduced in
ISO 31000, but has long been recommended by project management, for exam-
ple in the Project Management Institute (PMI)’s Practice Standard for Project Risk
Management. The concept was introduced for two reasons: to better engage those
parts of the organization that were aiming to become highly innovative, and to
better assess the risks associated with new initiatives. The new approach enables
the comparison of risk with potential reward, and establishes the idea that both
threats and opportunities are associated with uncertainty.
The new consequence table was based as previously on the key BCLC goals
but for the first time included consideration of both positive and negative impacts,
with benefits considered as opportunity and loss/harm as threat. The table has
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 201
Likelihood
Rare Unlikely Possible Likely Almost Certain
Im
p
ac
t
Insignificant 1 2 3 4 5
Minor 2 4 6 8 10
Moderate 3 6 9 12 15
Major 4 8 12 16 20
Catastrophic 5 10 15 20 25
GREEN
LOW
TEAM
LEADERS
YELLOW
MEDIUM
DIRECTORS
AMBER
HIGH
VPS
RED
CRITICAL
CEO
Unacceptable region
Risk cannot be justified save in
extraordinary circumstances
Acceptable region
Necessary to maintain
assurance that risk
remains at this level
Tolerable only if risk reduction is
impracticable or if its cost is
grossly disproportionate to the
improvement gained
Tolerable region
Tolerable if cost of reduction
would exceed the
improvement gained
The relationship between risk criteria, severity assessment, escalation, and tolerance
Exhibit 10.13 Implementing the ALARP Approach to Risk Response
four levels of positive outcomes and four levels of negative outcomes (with a neu-
tral zone bridging the two). BCLC has opted for a symmetrical approach so that a
given level of negative outcome in any of the dimensions is balanced by the equiv-
alent level of positive outcome. For example, one of the existing financial criteria
references the possibility of making a loss of up to $5 million. Therefore, the par-
allel positive consequence is a potential gain of up to $5 million. Likewise, in the
overall severity matrix, the appetites and tolerances for positive risk follow the
same principles already in use for negative risk.
The new table was incorporated into the business case template, with sim-
ple graphical maps produced as an outcome of a detailed assessment showing the
overall risk profile of any proposed initiative. These maps are used as one of the fac-
tors determining both the selection of initiatives and the level of risk management
support and monitoring subsequent to approval. The approach has proved very
helpful for both risk mitigating proposals to be able to demonstrate value more
clearly and for those initiatives that have a more balanced profile to incorporate
risk treatment plans from a much earlier stage, allowing for better risk planning
and resourcing.
Exhibit 10.14 shows an example of the summary charts produced as an out-
come of a business case risk assessment exercise. The business case is for an initia-
tive that is primarily designed to reduce existing risks across a number of organi-
zational objectives. The bars show the current threat and opportunity assessment,
while the lines show the anticipated effect of the initiative on the organizational
risk profile. The matrix looks at the overall balance between threat and opportu-
nity, with the pre- and post-treatment statuses showing very positive changes. This
initiative was approved and is proceeding. Because of the high levels of uncer-
tainty, monitoring of threat mitigation and benefit realization will be important.
Exhibit 10.15 shows another example, this time for an initiative with very low
levels of uncertainty. The overall effect of the initiative on the organization’s risk
profile is broadly neutral. This initiative was also approved and is proceeding. As
levels of uncertainty are low, monitoring will be minimal.
Although there was a significant learning curve both for the teams participat-
ing in the risk assessments and for senior management in interpreting the results,
www.it-ebooks.info

http://www.it-ebooks.info/

202 Implementing Enterprise Risk Management
0
10
15
20
30
O
p
p
o
rt
u
n
it
y
Threat
Pretreatment Posttreatment
High
Low High
–25
–20
–15
–10
–5
0
5
10
15
20
25
Player People Public Profit Process
S
u
m
m
ar
y
R
is
k
S
co
re
s
OPPORTUNITY Initial opportunity level
Level after treatment
Initial threat level
Level after treatmentTHREAT
Exhibit 10.14 Business Case Risk Assessment Output Example 1
the new approach was endorsed by management and was used again in 2013 with
some minor improvements to increase consistency.
Linking discussion of potential rewards with potential problems has sup-
ported the development of a more nuanced view of risk across BCLC and proved
more culturally acceptable to individuals and groups tasked with developing inno-
vative practices, as there is less of a focus on asking “What could go wrong?” and
more emphasis on “What is not certain?” This has helped the ERM program to
counter the viewpoint held by some groups that managing risk is a necessary but
uninspiring and possibly bureaucratic exercise required by a risk-averse corpo-
ration, and has led to a better understanding that becoming risk-aware helps in
embracing change and achieving objectives.
Player People Public Profit Process
OPPORTUNITY
THREAT
Initial opportunity level
Level after treatment
Initial threat level
Level after treatment
3
8
13
18
23
28
3 8 13 18 23 28
O
p
p
o
rt
u
n
it
y
Threat
High
Low High
Pretreatment Posttreatment–25
–20
–15
–10
–5
0
5
10
15
20
25
S
u
m
m
ar
y
R
is
k
S
co
re
s
Exhibit 10.15 Business Case Risk Assessment Output Example 2
CONCLUSION
This case study has described how enterprise risk management has developed
over the past 10 years at BCLC, a Canadian crown corporation offering lottery,
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 203
casino, and online gambling. BCLC’s enterprise risk management program has
been developed over time through a combination of internal experiential learn-
ing and the application of specialist advice. The program’s success has been due
to the dedication of a number of key individuals, the support of senior leadership,
and the participation of BCLC employees.
The approach to ERM has evolved from informal conversations supported by
an external assessment, through a period of high-level corporate focus supported
by a dedicated group of champions using voting technology, to an embedded
approach, where risk assessments are incorporated into both operational practice
and planning for the future using a variety of approaches, depending on the con-
text. The increasing maturity of the program has been mapped to a simple scale
adapted from a model developed by Deloitte (Exhibit 10.16).
BCLC’s current approach to managing risk is one that recognizes that, in
order to innovate and develop, it needs to embrace change with all the associated
uncertainty that brings. At the same time it needs to protect its reputation and
preserve the integrity of its systems and processes. Risk awareness and appro-
priate response are thus essential in both day-to-day and longer-term strategic
planning.
BCLC is moving into a more challenging future and working to transform into
an increasingly dynamic and innovative organization, where effective risk man-
agement will increasingly become a core competency for success. As its leaders
reflect on 10 years of enterprise risk management, there are still plenty of chal-
lenges ahead in order to continue to sustain and develop its program. In particular
they are looking to automate monitoring and reporting.
• No formal
procedures for risk
assessment
• Depends primarily
on individual
heroics, capabilities,
and verbal
wisdom
• Ad-hoc/chaotic
• No focus on risk
inter-linkages
• Limited alignment of
risk to strategy
• Disparate monitoring
• Reaction to adverse
events by specialists
• Discrete roles
established for small
sets of risks
• Risk definitions vary
across the
organization
• Policies, risk authorities
defined and
communicated
• Common approach for
routine risk assessments
• Communication of key
risks to the Board
• Executive committee for
risk management
established
• Dedicated team
• Primarily qualitative
• Reactive
• Coordinated risk
management activities
• Risk appetite is defined
• Enterprise-wide risk
monitoring, measuring
and reporting
• Training
• Risk analysis tools
developed and
communicated
• Integrated response to
adverse events
• Rapid escalation
• Proactive
• Embedded in strategic
planning, resource
allocation, business /
product development, and
other key decisions
• Early warning risk
indicators
• Linkage to performance
measurement and
incentives
• Risk modeling and
scenarios
• Industry benchmarking
• Technology implementation
• Sustainable
1: Unaware 2: Fragmented 3: Coordinated 4: Systematic 5: Strategic
• ERM manager recruited
• ERMAC established
• ERM policy produced
• 1st ERMAC assessment • Board assume primary
ERM oversight
• Risk Planning Group
established
• Opportunity criteria
incorporated
• Strategic risk
assessment
• Realignment of risk criteria
• High risks formally assigned
to VPs
2010 • Updated ERM guidance issued
• Internal Audit ERM review
• New risk manager recruited
• Risk workshops
• Risk registers established • Introduce supporting technology
• Develop GRC synergies
Next steps:
2003 • EROM assessment
2006 • IA ERM assessment
initiated
2006–2007 • ERM program launch
2012 • New ERM framework
2009
2011 • ERM move to CFO
2008 • Quarterly ERM reporting
Exhibit 10.16 BCLC’s Journey toward Risk Management Maturity
www.it-ebooks.info

http://www.it-ebooks.info/

204 Implementing Enterprise Risk Management
QUESTIONS
1. Sometimes risk workshops generate so many risks that it is not possible to assess all
of them, while on other occasions only a small number of risks are identified and in-
depth assessment is possible. What are the advantages and disadvantages of these two
scenarios?
2. How do outcomes, causes, and risks differ, and what are the implications of confusing
these?
3. Is the term inherent risk helpful? How could it help and/or hinder the assessment of risk?
4. What are the implications of moving from assessments of predefined sets of risks to using
top-down objectives based on the balanced score card approach?
5. Contrast the advantages and disadvantages of using voting technology compared with
other approaches such as those described in this case study.
NOTES
1. The Sarbanes-Oxley Act of 2002 was enacted in the United States as a response to a num-
ber of corporate governance scandals and introduced a number of financial governance
regulations, including the requirement to produce a report on internal control.
2. The CBC investigative series Fifth Estate aired an episode entitled “Luck of the Draw”
on March 14, 2007, about insider wins, featuring the story of Bob Edmonds, who was
defrauded out of his lottery winnings by a retail clerk.
3. The Player First program was BCLC’s response to the Ombudsman report and Deloitte
recommendations, a collection of significant change initiatives under way from 2007 to
2011 designed to put the player at the forefront of BCLC activities.
4. Bow-tie analysis is a simple diagrammatic way of describing and analyzing the pathways
of a risk from causes to consequences. The approach is outlined in ISO 31010 risk assess-
ment techniques. Also see pages 291–293 of Enterprise Risk Management: Today’s Leading
Research and Best Practices for Tomorrow’s Executives, ed. John Fraser and Betty J. Simkins
(Hoboken, NJ: John Wiley & Sons, 2010).
5. The balanced scorecard originated by Drs. Robert Kaplan and David Norton as a per-
formance measurement framework that added strategic nonfinancial performance mea-
sures to traditional financial metrics to give managers and executives a more balanced
view of organizational performance.
REFERENCES
AS/NZS 4360:2004 Risk Management.
BCLC Annual Service Plan Report 2012/2013.
BC Ombudsman. 2007. “Winning Fair and Square: A Report on the British Columbia Lottery
Corporation’s Prize Payout Process.”
British Columbia Treasury Board. Core Policy and Procedures Manual (CPPM). “Risk Manage-
ment,” Chapter 14.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004.
“Enterprise Risk Management—Integrated Framework.”
Deloitte & Touche. 2003. “Enterprise-Wide Risk & Opportunity Management (EROM)—
Phase 1 Final Report.”
Deloitte & Touche. 2007. “Report on the Independent Review and Assessment of the Retail
Lottery System in British Columbia.” October.
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 205
Ernst & Young. 2010. “Results of the Enterprise Risk Management Benchmarking Study
Involving 11 Participating Organizations.”
ISO 31000:2009 Risk Management—Principles and Guidelines.
Society of Actuaries. 2009, 2010. “A New Approach for Managing Operational Risk.”
ABOUT THE CONTRIBUTOR
Jacquetta Goy is the Director of Risk Management Services, Thompson Rivers Uni-
versity and former Senior Manager, Risk Advisory Services at British Columbia
Lottery Corporation, responsible for establishing and developing the enterprise-
wide risk management program. Prior to that she spent 14 years in the English
health service, where she was responsible for setting up and developing the risk,
quality, and governance programs for an inner-city health care organization. This
involved preparing for a variety of accreditation reviews and inspections, manag-
ing quality assurance, audit, complaints, clinical risk, investigations, and root cause
analysis. Jacquetta has both participated in and organized a number of conferences
on both risk and quality management. She studied international politics at Aberys-
twyth University, Wales, and has a master’s in public health from St. George’s Uni-
versity of London. Currently, she is a member of the Canadian Committee for Risk
Management and Related Activities, Canadian Standards Association, and one of
the Canadian delegates on the international technical committee for risk manage-
ment (TC262). She can often be found on various LinkedIn risk groups advocating
ISO 31000.
www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 11
Starting from Scratch
The Evolution of ERM at the Workers’
Compensation Fund
DAN M. HAIR
Senior Vice President, Chief Risk Officer, Workers Compensation Fund
Modern workers’ compensation systems are children of the industrial rev-olution. The concept of a social insurance program protecting work-ers from job-related injuries and illnesses had its modern origins in the
development of European factory, child labor, and mining regulations throughout
the eighteenth and nineteenth centuries. In the United States there was a long ges-
tation period leading to the adoption of similar schemes. In the nineteenth century
accidents in the mining and railroad industries led to early regulatory structures in
those areas. The Russell Sage Foundation’s Pittsburgh Survey of 1907 along with
the Triangle Shirtwaist Factory fire in 1911 were major factors in the adoption of
the first state workmen’s compensation laws from 1911 to 1915.
In 1917, the Utah legislature passed the Workers’ Compensation Act, requiring
all employers to obtain workers’ compensation insurance coverage. The Workers
Compensation Fund (WCF), then called the State Insurance Fund, was created to
provide competitively priced insurance to Utah employers. In the same year, the
legislature appropriated $40,000 from the state treasury for WCF to begin writing
insurance. This loan was repaid by WCF in four years, and from that time forward
WCF has operated financially independent of the state and has functioned largely
as a state agency.
A formal organizational study of WCF was completed in 1987. It recom-
mended autonomy from state administration by establishing WCF as a quasi-
public corporation with a board of directors comprised of policyholders and indi-
viduals with expertise. In 1988 the Utah legislature again modified its statutes to
protect the state from any WCF expenses or debts and to prohibit the state from
accessing the Injury Fund. In 2005 the Utah Supreme Court ruled that WCF and all
of its assets were solely owned by its policyholders.
Today, WCF operates as a mutual insurance company owned by its policy-
holders and governed by a seven-member board of directors appointed by the
governor. WCF performs a public purpose relating to the state and its citizens.
Specifically, WCF serves as Utah’s carrier of last resort for workers’ compensation
207
www.it-ebooks.info

http://www.it-ebooks.info/

208 Implementing Enterprise Risk Management
insurance coverage. As such, any Utah employer, no matter its size, the riskiness of
its business, or its prior loss history, can obtain workers’ compensation insurance
coverage from WCF.
WCF is under state regulatory oversight provided by the Utah Department of
Insurance and Utah Labor Commission. WCF also receives annual rating agency
financial oversight through the A.M. Best Company, which examines, among
other things, solvency, operating performance, risk-based capital requirements,
and enterprise risk management (ERM) capabilities. Currently, WCF is rated A or
excellent. WCF has its headquarters in Sandy, Utah, and additional branch offices
in central, northern, and southern Utah. It also owns affiliated companies that are
licensed to write workers’ compensation insurance and perform claims manage-
ment services in other states as well.
TOWARD ERM PROGRAM INITIATION
The early 1990s were a time of transformative change at WCF. In 1992 the board
hired a new president and CEO, Layne Summerhays, who soon added additional
executives. The resulting executive group was an amalgam of new leaders who
had spent their careers in the private sector and retained leaders with critical insti-
tutional memory and experience with the workers’ compensation system in Utah.
The new executive team established a focus on customer service, internal account-
ability, operating efficiency, and private carrier best practices.
In the ensuing years WCF obtained its initial (A–) A.M. Best rating, signifi-
cantly improved operating results and customer satisfaction, grew its surplus from
$67 million to more than $600 million, and returned 40 percent of net income to
policyholders in dividends. These impressive results came despite the vagaries of
market cycles and some very difficult strategic challenges.
Utah has been a very competitive insurance market for many years. Com-
petitors have included large, national multiline carriers, national workers’ com-
pensation specialty carriers, and locally domiciled insurers. Their ability to quote
multiple lines of insurance in and out of Utah put WCF at a distinct competitive
disadvantage. Additionally, as WCF’s fortunes changed, various parties initiated
discussions within the legislature regarding WCF’s structure, its future status
as a tax-exempt market of last resort, and the ultimate ownership of company
assets.
These two significant risks were tackled by the management team in close col-
laboration with the board. Working toward solutions involved risk assessment,
evaluation of options, and envisioning potential outcome scenarios, both positive
and negative. Ultimately the multistate issue was creatively resolved by working
with the legislature to get limited statutory changes in an amicable fashion and
the formation of an affiliated company. Resolving ownership of company assets
was a more contentious issue between WCF and the executive branch of state gov-
ernment. This was only resolved after the board and management determined it
would be necessary to take legal action by suing the State of Utah. The resulting
litigation was decided in favor of WCF by the landmark 2005 Utah Supreme Court
decision.
www.it-ebooks.info

http://www.it-ebooks.info/

STARTING FROM SCRATCH 209
This episode in the history of the company, which involved robust discussion
of risk, potential scenario development, and close collaboration with the board,
was the foundation for what has followed. In addition, at the company’s annual
retreat and planning session for board members, senior vice presidents, and vice
presidents in 2006, time was set aside for consideration of the range of potential
risks to the company. Returning from this board retreat, the executive team began
an ongoing discussion of key strategic risks and opportunities that continues to
this day.
Although the financial trials of the Great Recession of 2007–2011 did not
seriously impact the solvency of WCF or the property-casualty insurance indus-
try, it certainly stimulated boards to think about risk, fat tails, black swans,
and low-frequency, high-severity events. This watershed event also resulted in
financial rating organizations such as Standard & Poor’s and A.M. Best mov-
ing toward the development of much more robust questioning of rated firms’
capital management, risk assessment practices, and enterprise risk management
capabilities.
At this time WCF’s President and CEO, Ray Pickup, along with Board Chair
Dallas Bradford and other directors, began serious discussions of the need for
more formality and structure in the company’s risk management efforts. As the
former CFO, Ray Pickup not only had a deep understanding of risk but a passion
for transparency and openness, as well as a self-effacing management style that
valued input from all areas of the company. As a retired partner in a public
accounting firm, Chairman Bradford had long dealt with issues of risk and was a
self-described “glass is half empty guy” who “imagined the worst scenario.” He
noted that when a company’s risk management efforts fail, “a great many people
would be financially damaged and the company’s public image would perhaps be
irreparably damaged.” He also expressed that “The company had done some sig-
nificant work in this arena, but little of it had been documented and there was no
clear response mechanism in place. Also, there was no organized process in place
to evaluate the various risks. It was an easy step for me to encourage the company
to undertake a much more rigorous program to identify and manage potential risks
that could severely damage our company and the important public interests we
serve.”1
INITIAL ACTIONS
In late 2010 Ray Pickup, with the approval of the board, created the chief risk offi-
cer (CRO) position, designating Dan Hair, who had been and would continue to
serve as the Chief Underwriting and Safety Officer, as the first CRO. An addi-
tional committee of the board, the Risk Oversight Committee, was also created.
The job description for the new CRO position contained several key elements (see
WCF Chief Risk Officer Job Description). First, the CRO was to report to the pres-
ident and CEO but with additional reporting responsibilities to the board and the
newly formed Board Risk Oversight Committee. This was reinforced by the CEO,
who encouraged direct access to the board by the CRO, including the airing of
www.it-ebooks.info

http://www.it-ebooks.info/

210 Implementing Enterprise Risk Management
any differences of opinion. Second, the CRO was to have access to all areas of the
company and its affiliates. This was fundamentally important if the CRO was to
have an enterprise-wide understanding of all the risks facing WCF. Third, implicit
in the job description and explicit in the WCF Risk Policy (see WCF Risk Policy) is
the idea of excellence in the development of a program that is suitable and appro-
priate for WCF.
January 25, 2011: Initially the CRO, working with Chief Financial Officer Scott
Westra, developed a preliminary risk assessment matrix to be used by the senior
officers in a Delphi qualitative assessment of all risks facing the company. Each
executive was asked to look at a list of risks provided by the CRO, add to it any
risks they felt should be considered, and score the severity and probability of
those risks. Several meetings followed with the entire senior team to come to a
consensus on the matrix, scores, and risk list. Initial results were then presented
to the entire Board, which resulted in further refinement of the matrix and heat
maps (Exhibits 11.1 and 11.2). The Board and management were in agreement that
risk appetite should primarily be evaluated by impact on WCF surplus. This was
later refined to include statutory combined ratio and operating income. Senior
management was explicitly tasked with developing mitigation plans for any risks
scoring in the red area of the heat map.
WCF Chief Risk Officer Job Description
Position Purpose
The purpose of this position is to develop and monitor the Risk Manage-
ment strategy, policies, and processes under the direction of the CEO, Board
of Directors, and Board Risk Oversight Committee. Ensure that appropriate
risk assessment and mitigation strategies are developed for all core functions
of WCF.
Nature and Scope
The Chief Risk Officer (CRO) is a Senior Executive with 10–15 years
of experience who has a broad understanding of all key areas of the
business. The CRO possesses management experience in key business
areas with proven ability to provide strategic direction and leadership.
He/she has superior analytical, presentation, communication, and facilita-
tion skills. The incumbent usually possesses advanced degrees and/or tech-
nical certifications in accounting, actuarial, risk management, operations, or
finance.
Performance is measured on overall achievement of company financial
objectives and the effectiveness of the ERM program in developing and
implementing the best approaches for protecting WCF, its employees, and
assets.
www.it-ebooks.info

http://www.it-ebooks.info/

STARTING FROM SCRATCH 211
Principal Duties
Essential Functions
1. Develops and communicates an appropriate Enterprise Risk Manage-
ment (ERM) infrastructure within WCF by working cooperatively with
the Senior Officers as a group and with each department in a collabora-
tive manner.
2. Under the direction of the CEO, works with other company executives
and the Board Risk Oversight Committee to develop an ERM strategy
for WCF that identifies, quantifies, and mitigates risks facing the com-
pany. Provides appropriate risk reporting.
3. Consults with and provides assistance as requested to WCF affiliates
and subsidiaries. Works with them to ensure that appropriate ERM
planning is in place.
4. Facilitates enterprise-wide risk assessments and monitors the capabili-
ties around managing priority risks across the organization.
WCF Risk Policy
Failure to manage risk, whether it is financial, operational, or reputational,
may subject the Company to negative outcomes. These outcomes could
impact our customers, colleagues, partners, and the viability of our business.
Managing risk reinforces our corporate values of compassion, accountability,
and expertise.
Consequently, every employee, WCF department, and affiliate will con-
tinually assess and monitor risks of all types. Under the direction of Senior
Management and the Board of Directors we will take appropriate mitigation
actions consistent with our mission of excellence.
In subsequent months the CRO met with the leadership of each WCF depart-
ment and affiliate to explain the importance of the ERM program, why it was
being launched, and their role in the program. Basic risk management training
was given to them along with a modified departmental risk matrix. Their views
on risks within the company and their departments were solicited and they were
guided to the development of their own heat maps. At the same time the initial
meeting of the Board Risk Oversight Committee was held and the duties of the
Internal Risk Committee (IRC), chaired by the CRO, were established (see WCF
Internal Risk Committee Duties). This effectively created an ongoing three-level
review of risk consisting of the board, senior management, and key company
leaders.
www.it-ebooks.info

http://www.it-ebooks.info/

212 Implementing Enterprise Risk Management
Exhibit 11.1 WCF ERM Risk Management Matrix Values
Incident or exposure probability descriptions (Risk = P × S)
Very low (1): Improbable, no prediction confidence (P = .01/range = <.02) Low (2): Remote, may occur once every 10 to 50+ years (P = .02) Moderate (3): Occasional, may occur once every 3 to 10 years (P = .16/range = .10 to .33) High (4): Probable, may occur once every 2 to 5 years (P = .25/range = .20 to .50) Very high (5): Frequent, could occur annually (P = .50/range = .50 to 1.0) Incident or exposure severity descriptions Slight loss (1): Inconsequential with respect to financial, personnel, or brand damage: less than 1% of surplus, or $10M loss or a 1- to 5-point impact on combined ratio. Medium loss (2): Important financial, personnel, or brand damage; threshold of financial materiality, 5% or more of surplus, or $11M to 25M loss or a 6- to 10-point impact on combined ratio. Material loss (3): Material damage to financial strength, personnel, or brand; $26M–$50M loss or an 11- to 15-point impact on combined ratio. Large loss (4): Significant damage to financial strength, personnel, or brand; 10% or more of surplus, or a $51M to $75M loss, could damage stakeholder confidence or a 16- to 20-point impact on combined ratio. Very high loss (5): Catastrophic impact on solvency, brand, or personnel; 50% or more of surplus; greater than a $75M loss, would damage stakeholder confidence or a combined ratio impact of >20 points.
WCF Internal Risk Committee Duties
Description
� Meets quarterly under the direction of the Chief Risk Officer.
� Attended by representatives/risk champions from each department or
business unit.
� Reviews reports on department risk identification and mitigation efforts.
� Reviews risks and risk mitigation efforts company-wide.
� Receives training in risk recognition and mitigation techniques from
CRO and others.
� Helps develop WCF risk policies and resources.
� Assesses risk integration and response issues.
Members
� Preferably business unit managers or leaders with interest in risk man-
agement.
� Ability to train and coach others.
� Thorough understanding of all aspects of the department/business unit.
www.it-ebooks.info

http://www.it-ebooks.info/

STARTING FROM SCRATCH 213
Standing Agenda
� Review/update WCF key risks and mitigation efforts.
� Review/update department or business unit key risks and mitigation
efforts.
� Training in ERM, risk identification, and control techniques (CRO or
guest speakers).
� Committee member new business.
� Improving/strengthening the risk culture at WCF and affiliates.
In its initial meetings, the Board Risk Oversight Committee, which meets
two or three times per year, approved the IRC Charter and gave direction and
feedback regarding initial efforts. One valuable suggestion was to do a risk sur-
vey of the entire company. Although approximately one-third of WCF employ-
ees had already been involved in ERM activities to date, this was a very help-
ful idea. Over 50 percent of all employees responded (see 2012 All-Employee
Incident or exposure probability descriptions
Very low (1)
5
4
3
2
1 3 5
1512
8
Large loss (4)
Material
loss (3)
Medium
loss (2)
Slight loss (1)
Very high
loss (5)
Low (2)
(9) Large Earthquake 15 20 25
16 20(8) AWCIC Failure
(4) Violent Security Breach;
(3.84) Pinnacle or AWCIC
Failure; (5.04) Data Breach
With Loss of Data
(2) Other Credit Risks –
Receivables
(5.2) Detrimental State
Regulatory Action; (4.64)
Catastrophic Multi-Claim
Incident; (4.5) Loss of Tax
Exemption Retroactively;
(5.76) Other Detrimental
Federal Regulatory Action;
(6.46) Terrorist Act; (5.8)
Adverse Loss Reserve
Development; (6) Inflation
Risk; (7.02) Multi-Year High
Combined Ratio
Moderate (3)
(12) Loss of Tax
Exemption; (12) Multi-
line competition,
leveraging
(9) Prolonged Economic
Downturn Beyond 2011;
(9) Prolonged Soft
Market Beyond 2011
High (4) Very high (5)
Incident or
exposure
severity
descriptions
(6) Bond Credit Risk;
(6.24) Malevolence
Against Company; (5.52)
Significant Number of
Large Losses in Single
Year; (6.9) Interest Rate
Risk
(4) Employee
Malfeasance
(10) Equities or
Securities
Impairment
Exhibit 11.2 WCF Risk Assessment Matrix; the increased darkness corresponds to the risk,
i.e. low = least dark, medium = middle shade, and high = darkest.
Risk Score
Under 4: Category 1: Risk reduction actions discretionary, risk acceptable
4 to 8: Category 2: Ongoing risk assessment appropriate with informal mitigation but may
be within risk tolerances; to be discussed with Internal Risk Committee
9 or greater: Category 3: Unacceptable risk, triggers scenario planning and development of
mitigation plan to be presented to Board Committee
www.it-ebooks.info

http://www.it-ebooks.info/

214 Implementing Enterprise Risk Management
ERM Survey). The survey was done electronically with optional anonymity for all
participants.
2012 All-Employee ERM Survey
� What are the most important challenges facing WCF today?
� What are the greatest threats to our reputation/brand?
� What local or national events or trends should cause us the most con-
cern?
� What other issues should the Chief Risk Officer be concerned about?
� Name (optional)
Initial IRC discussions were robust and enthusiastic. The mix of company offi-
cers, managers, and risk champions worked effectively together. Many of the risks
that were contained in the consolidated risk list they developed were also iden-
tified by the senior group and the company-wide survey. Having wide unanim-
ity on which risks were most important was very helpful and allowed effective
focus. Early on it was decided to split the list of risks thus developed into two
sections. The first section contained the risks that, as department leaders, the IRC
could impact and manage. The second-tier risks were those that were of a strategic
nature or just simply could only be managed by senior management.
The initial duties of the Internal Risk Committee were to review all the depart-
ment risks, consolidate them where possible, and come up with a consensus scor-
ing using the risk matrix. The committee was split into a gold team and a blue
team to accomplish this and report back to the IRC, whereupon a consensus was
reached. Mitigation plans were discussed and developed where appropriate. In
some cases this involved tailored mitigation steps. In many others it was deter-
mined that existing WCF and department management protocols and procedures
were adequate. It is the ongoing duty of the IRC to meet quarterly to discuss the
adequacy of existing mitigation efforts and to consider new risks. In each meeting
of the IRC, members are asked to again consider the question “Have we adequately
protected the company against these risks?” Many of the early discussions of the
IRC were taken up with data security concerns, particularly relating to the Health
Insurance Portability and Accountability Act of 1996. The committee also focused
on cyber risk, other operational risks, affiliate risks, and compliance risks.
As a final note to this section, developing and maintaining positive and helpful
relationships with other executives is very important. Two roles that are especially
important at WCF are the CFO and the company’s head of Internal Audit. At WCF
they work closely and effectively by fully sharing information, both internal and
external. Both the CFO and Internal Audit leader participate in the IRC. The CRO
has no direct authority over other executives, so he or she must work in a collabo-
rative manner, building consensus as to needed measures and ERM development.
Should problems arise, the CEO has been willing to intervene in support of the
ERM program, but that has rarely been needed.
www.it-ebooks.info

http://www.it-ebooks.info/

STARTING FROM SCRATCH 215
MATURING: YEARS 1 AND 2
In the spring of 2011 a new tool was added to the ERM program with the intro-
duction of the risk register (RR). Although this did not replace the risk list and
heat maps, it consolidated all that information into one Excel file (see Exhibit 11.3)
and added new elements necessary to properly manage risk. This is the primary
document WCF uses to monitor enterprise risks.
The first cell contains each risk’s assigned number and designation reflecting
whether it is assigned to the IRC or to senior management. There are currently
about 25 of each. A description of each risk is in the next cell, which is refined
from time to time. The next cell captures risk correlation by listing the number of
other risks in the document believed to be likely to occur at the same time or to
be interrelated in some way. For example, a prolonged economic downturn affects
other risks such as market cycle risk and pricing risk.
The next six cells in the RR deal with how the risk is scored and the poten-
tial loss to the company. The probability and severity scores are listed as currently
scored. These are subject to modification to reflect changing conditions or success-
ful mitigation. The risk score is listed and the cell is filled with light gray/medium
gray/dark gray indications. The risk matrix gives ranges for both probability and
severity, and selections are made for both and entered as AP (actual probability)
and severity potential. These two cells are multiplied to produce a potential loss
value. In a separate chart produced for the board, this cell is graphed into a tor-
nado chart (see Exhibit 11.4) to give a representation of total potential losses at
any one time. The CRO also prepares for them a separate modified heat map that
shows only the most critical risks and opportunities with indications of whether
we feel they are increasing or decreasing (see Exhibit 11.5).
The remaining five cells include space for probability and severity-reduction
targets, mitigations recommended by the IRC or senior management, the risk own-
ers, and who originally identified the risk. Formal mitigation steps are entered for
higher-scoring risks. Usually at least a dozen or so risks have mitigation plans. A
mitigation plan could be a set of active steps designed to reduce or control a risk
or simply those steps that have been taken and are deemed adequate. Where this
field is blank it represents a consensus that the risk is appropriately mitigated by
current WCF guidelines and protocols. The risk owners are primarily responsible
for actively monitoring the risk and suggesting changes or actions. The origination
column just gives a record of where the concern started. Multiple people or WCF
departments can appear in both cells.
In late 2011 the CRO suggested to the CEO and board that at some time a third-
party review of the program might by helpful in reviewing progress to date, as well
as providing some benchmarks for future improvements through the following
two to three years. The board agreed, and allocations were made in the 2012 budget
to engage a recognized thought leader with experience in the field to review WCF’s
ERM program. This was completed in the first quarter of 2012 and proved to be
very helpful. The ERM expert thus engaged was Sim Segal, a Fellow of the Society
of Actuaries (FSA), a Chartered Enterprise Risk Analyst (CERA), and president of
Simergy Inc.
The engagement included a review of all documents relating to ERM at WCF to
date, including matrices and heat maps in all their iterations. The risk register was
www.it-ebooks.info

http://www.it-ebooks.info/

E
xh
ib
it
11
.3
W
C
F
R
is
k
R
eg
is
te
r
216
www.it-ebooks.info

http://www.it-ebooks.info/

STARTING FROM SCRATCH 217
$5.00
$5.00
$3.90
$3.75
$3.75
$3.75
$2.50
$2.50
$1.65
$1.65
$1.50
$1.50
$1.50
$1.50
$1.50
$1.10
$1.10
$1.10
$1.10
$1.10
$0 $1 $2 $3 $4 $5 $6
Bad Faith lawsuit, class action lawsuit
Catastrophic event causing multiple large claims
Transportation (aircraft) related catastrophic
event (multipassenger, policyholder employees…
Subsidiary risk (AWCIC, Pinnacle)
Monoline/Monostate business model, increased
competition and loss of market share
Risk of delays/failures with the
TORCS rewrite project
Risk of widespread misclassification
resulting in inadequate rates
Legal environment– case law, benefits, retroactive
or prospective legislative changes that…
Premium fraud schemes
External employee risk exposure– traveling,
external appointments, working from home
Loss of sensitive data, HIPPA compliance
Inequity in benefits administration,
regulatory fines, lawsuits
Loss of critical vendor (Software AG,
IBM/Filenet and others)
Negative Social Media/PR event
Loss of key employees
including senior management
Medical advances at high cost
Internal employee risk exposure– inside and
around building, violence in the workplace
Approval/payment of treatments resulting
in death (Rx meds, opioids, etc)
Zions bank processing error/failure
Inadequate resources to meet business
needs (employees, equipment, etc).
Millions
Internal Risk Committee Risks
Probable Cost
Uncorrelated Risks
Correlated Risks
$ Potential = AP x Severity Potential
Exhibit 11.4 Internal Risk Committee Risks: Probable Cost
reviewed along with minutes of all the IRC and Board Risk Oversight Committee
meetings. This document review was followed by a lengthy discussion with the
CRO responding to questions about the process, personalities, and content. A full
day was spent by Sim Segal in one-on-one discussion with WCF’s president and
CEO, the board chairman, other WCF executives, and members of the IRC.
The final report with recommendations was given to and reviewed with all
parties and discussed at the 2012 annual board retreat. The report was helpful in
verifying WCF’s initial steps and pointing it toward several key future steps with
some action items. These included more rigorous risk analysis of key risks using
sophisticated process safety tools, engaging more closely with the affiliates and
moving toward a more formalized approach to risk/opportunity issues.
The action items have been a primary focus throughout 2012 and 2013, and two
are worth specifically addressing. The most consistent failure mode for property-
casualty insurance carriers is reserve failures. Workers’ compensation claims have
a very long tail in that costs are not finalized for many years. In fact, WCF is still
paying on claims dating back to the 1950s. Case reserving involves an adjuster’s
considered estimate of all costs to the end of the claim and an actuary’s judgment
of the cumulative expected development on those claims. Some will close for less
www.it-ebooks.info

http://www.it-ebooks.info/

V
er
y
H
ig
h
(5
)
R
is
k
S
co
re
5
R
is
k
S
co
re
1
0
R
is
k
S
co
re
1
5
R
is
k
S
co
re
2
0
S
en
io
r
M
an
ag
em
en
t
R
is
ks
T
h
re
at
/ O
p
p
o
rt
u
n
it
y
M
at
ri
x
(T
o
p
1
0
by
R
is
k
S
co
re
)
R
is
k
S
co
re
2
5
R
is
k
3
8 2
7
9
5
15
13
12
4
1
R
is
k
S
co
re
4
R
is
k
S
co
re
8
R
is
k
S
co
re
1
2
R
is
k
S
co
re
1
6
R
is
k
S
co
re
2
0
R
is
k
S
co
re
3
R
is
k
S
co
re
6
R
is
k
S
co
re
9
R
is
k
S
co
re
1
2
R
is
k
S
co
re
1
5
R
is
k
S
co
re
2
R
is
k
S
co
re
4
R
is
k
S
co
re
6
R
is
k
S
co
re
8
R
is
k
S
co
re
1
0
R
is
k
S
co
re
1
R
is
k
S
co
re
2
R
is
k
S
co
re
3
R
is
k
S
co
re
4
R
is
k
S
co
re
5
S
lig
ht
L
os
s
(1
)
M
ed
iu
m
L
os
s
(2
)
T
hr
ea
t
O
pp
or
tu
ni
ty
R
is
k
m
ov
em
en
t s
in
ce
la
st
r
ev
ie
w
R
is
k
tr
en
d
ba
se
d
on
s
ta
tu
s
an
d
cu
rr
en
t a
ct
io
n
51291513748213
R
is
k
tit
le
P
ro
lo
ng
ed
E
co
no
m
ic
D
ow
nt
ur
n
B
ey
on
d
20
12
B
on
d
C
re
di
t R
is
k
In
te
re
st
R
at
e
R
is
k
S
ig
ni
fic
an
t N
um
be
r
of
L
ar
ge
L
os
se
s
in
a
S
in
gl
e
Y
ea
r
In
fla
tio
n
R
is
k
A
W
C
IC
F
ai
lu
re
/R
at
in
g
D
ow
ng
ra
de
La
rg
e
E
ar
th
qu
ak
e
U
ns
uc
ce
ss
fu
l
P
ric
in
g
S
tr
at
eg
y,
H
ig
h
M
ul
tiy
ea
r
C
om
bi
ne
d
R
at
io
M
ul
til
in
e
C
om
pe
tit
io
n
Lo
ss
o
f T
ax
E
xe
m
pt
io
n
E
qu
iti
es
/S
ec
ur
iti
es
Im
pa
irm
en
ts
R
is
k
O
w
ne
r
S
r,
G
ro
up
S
co
tt
W
es
tr
a
S
co
tt
W
es
tr
a
D
an
H
ai
r
S
co
tt
W
es
tr
a
R
ay
, D
an
,
S
co
tt
D
an
H
ai
r
D
an
H
ai
r
&
S
r.
T
ea
m
P
eg
gy
La
rs
on
, D
an
H
ai
r
R
ay
P
ic
ku
p,
D
en
ni
s
Ll
oy
d
S
co
tt
W
es
tr
a
R
is
k
S
co
re
6666.
22
99912121216
B
ot
h
M
at
er
ia
l L
os
s
(3
)
La
rg
e
Lo
ss
(
4)
V
er
y
H
ig
h
Lo
ss
(
5)
H
ig
h
(4
)
M
od
(3
)
Lo
w
(2
)
V
er
y
Lo
w
(1
)
Probability
S
ev
er
it
y
E
xh
ib
it
11
.5
Se
ni
or
M
an
ag
em
en
tR
is
ks
:T
hr
ea
t/
O
pp
or
tu
ni
ty
M
at
ri
x
(T
op
10
by
R
is
k
Sc
or
e)
218
www.it-ebooks.info

http://www.it-ebooks.info/

STARTING FROM SCRATCH 219
than the estimate whereas many will ultimately exceed the estimates by a consid-
erable margin. If a carrier gets this wrong, it will become insolvent. The same is
true for pricing workers’ compensation insurance. It is based on a volatile estimate
of cost of goods sold and is subject to fluctuation and pricing error. While this does
not usually result in insolvency, it can dramatically impact profitability. Therefore,
claim reserving error and pricing error seem to be the best candidates for a more
rigorous risk analysis.
To make this analysis, a simple fault tree methodology was selected (see
Exhibits 11.6 and 11.7).
The fault trees were developed through consultation with subject experts. They
consist of an end point failure that WCF is seeking to avoid and levels of precipi-
tating errors built upon each other that would lead to that top-level outcome. The
final bottom end points would be factors for which WCF needs to build mitigation
plans. In both cases significant variables are system malfunctions, human errors,
and oversight failures. The finalized analyses are then reviewed with both risk
committees.
Finally, the other major focus in 2013 is on developing both a robust
risk/opportunity assessment tool and determining the parameters for its use. For
WCF an acceptable tool has been difficult to agree on. An initial form was devel-
oped and experimented with on a voluntary basis (see Exhibit 11.8). The form con-
tained a restatement of WCF’s risk appetite/tolerance statement guiding the users
in regard to when it should be used. A description of the proposed action was
required along with cost and expected value explanations.
Identified risks to successful implementation were listed and scored using a
matrix embedded in the tool. Mitigation strategies for risk scoring at a certain level
were completed.
Information regarding the risk owner and approvals completed the form. The
usefulness of the process seemed to lie in three areas:
1. The process could help users to cover all the bases in considering their plans.
2. It could also be helpful in creating a management review and oversight
circuit breaker that many companies that fared poorly in 2007–2010 might
today wish they had.
3. Finally, it provides a record of risk taking. We often look back on failures
and ask: How did that happen? A good risk record might show us whether
the issue was an unidentified, unforeseen risk, an execution failure, or just
a failure in judgment.
The question seems to come down to whether present systems are adequate or
is additional formalization worth the effort and extra work? After further consulta-
tion with the Board Risk Oversight Committee in late 2013, management decided
to adopt a “principle-based guideline that could be used on a voluntary basis or
required by management as desired.” (See pp. 223–224.) This approach gives max-
imum flexibility along with simplicity. Simple but fundamental questions are used
to elicit understanding of a proposed action. Examples of ventures that might be
suitable for an analysis are given and a simple follow-up process is described. So
far, this approach has been successfully used several times and seems to meet the
needs of the organization at this time.
www.it-ebooks.info

http://www.it-ebooks.info/

In
ad
eq
u
at
e
o
r
R
ed
u
n
d
an
t
C
la
im
R
es
er
ve
s
C
as
e
R
es
er
ve
s
M
is
ca
lc
ul
at
io
n
M
IR
A
F
ai
lu
re
or
A
no
m
al
y
U
ne
xp
la
in
ed
ch
an
ge
in
M
IR
A
In
te
rn
al
ca
lc
ul
at
io
ns
o
r
as
su
m
pt
io
ns
B
as
ic
m
at
h
or
be
ne
fit
ca
lc
ul
at
io
n
er
ro
rs
D
ep
ar
tm
en
t Q
C
re
vi
ew
s
no
t
ef
fe
ct
iv
e
or
tim
el
y
Li
be
ra
liz
at
io
n
of
B
en
ef
its
B
ey
on
d
S
ta
tu
to
ry
D
ut
y
A
ct
ua
ria
l
Ju
dg
m
en
t
E
rr
or
s
In
co
m
pl
et
e
or
In
co
rr
ec
t D
at
a
U
se
d
U
na
nt
ic
ip
at
ed
B
en
ef
it
S
tr
uc
tu
re
C
ha
ng
es
In
ad
eq
ua
te
In
fla
tio
n
Fa
ct
or
in
g
C
-S
ui
te
P
re
ss
ur
e
F
ed
er
al
R
es
er
ve
A
ct
io
ns
P
re
ss
ur
e
to
ad
op
t
di
ffe
re
nt
fa
ct
or
s
or
as
su
m
pt
io
ns
P
re
ss
ur
e
to
m
is

st
at
e
re
su
lts
o
r
fa
il
to
r
ep
or
t
co
nc
lu
si
on
s
U
na
nt
ic
ip
at
ed
N
at
io
na
l o
r
R
eg
io
na
l
E
co
no
m
ic
T
ur
ns
In
co
rr
ec
t
A
ss
um
pt
io
ns
of
In
fla
tio
n
C
ha
ng
es
O
ve
rr
el
ia
nc
e
on
P
ai
d
or
in
cu
rr
ed
M
et
ho
ds
Im
pr
op
er
M
od
el
in
g
Te
ch
ni
qu
e
S
el
ec
te
d
A
ct
ua
ry
to
o
E
ag
er
to
P
le
as
e
P
ro
bl
em
w
ith
N
C
C
I
D
at
a
A
cc
ur
ac
y
Lo
ss
o
r
C
or
ru
pt
io
n
of
D
at
a
U
nd
et
ec
te
d
R
et
ro
ac
tiv
e
B
en
ef
it
C
ha
ng
es
P
ro
sp
ec
tiv
e
B
en
ef
it
C
ha
ng
es
O
th
er
C
om
pe
ns
ab
ili
ty
C
ha
ng
es
La
ck
o
f a
cc
ou
nt
ab
ili
ty
m
ea
su
re
s
fo
r
ad
ju
st
er
s
or
S
up
er
vi
so
rs
E
xa
m
in
er
fa
ils
to
r
es
po
nd
to
ch
an
gi
ng
c
as
e
in
fo
rm
at
io
n
E
xa
m
in
er
fa
ils
to
r
ev
ie
w
re
se
rv
es
pe
rio
di
ca
lly
S
ig
ni
fic
an
t c
ha
ng
e
in
nu
m
be
r
of
e
xa
m
in
er
ov
er
rid
es
o
f
M
IR
A
r
ec
om
m
en
da
tio
n
E
xa
m
in
er
R
es
er
vi
ng
P
ro
to
co
ls
Fa
il/
In
ad
eq
ua
te
S
up
er
vi
so
ry
R
ev
ie
w
o
r
O
ve
rs
ig
ht
F
ai
lu
re
O
th
er
U
nd
et
ec
te
d
S
ys
te
m
E
rr
or
s
or
F
ai
lu
re
B
ul
k
R
es
er
ve
s
M
is
ca
lc
ul
at
io
n
E
xh
ib
it
11
.6
C
la
im
R
es
er
vi
ng
E
rr
or
Fa
ul
tT
re
e
220
www.it-ebooks.info

http://www.it-ebooks.info/

B
o
o
k
P
ri
ci
n
g
E
rr
o
r/
In
ad
eq
u
at
e
R
at
es
In
di
vi
du
al
A
cc
ou
nt
s
P
ric
in
g
E
rr
or
s
U
nd
er
w
rit
in
g
S
ys
te
m
o
r
U
nd
er
w
rit
in
g,
M
an
ag
em
en
t E
rr
or
s
LC
M
E
rr
or
s
Lo
ss
C
os
t
E
rr
or
s
U
nd
er
w
rit
er
E
xc
ee
ds
U
nd
er
w
rit
in
g
A
ut
ho
rit
y
U
nd
er
w
rit
er
F
ai
ls
to
F
ol
lo
w
D
ep
ar
tm
en
t
G
ui
de
lin
es
U
nd
er
w
rit
er
G
iv
es
in
to
M
ar
ke
t P
re
ss
ur
e
U
nd
er
w
rit
er
P
ric
in
g
D
ec
is
io
n
O
ve
rr
id
de
n
Fa
ilu
re
o
f P
M
M
od
el
to
A
cc
ur
at
el
y
P
re
di
ct
L
os
s
R
at
io
s
O
th
er
U
nd
et
ec
te
d
S
ys
te
m
E
rr
or
s
F
la
w
ed
A
na
ly
tic
al
To
ol
s
(R
at
e/
R
A
W
)
S
up
er
vi
so
ry

R
ev
ie
w
o
r
O
ve
rs
ig
ht
F
ai
lu
re
C
on
ce
pt
ua
l
W
ea
kn
es
se
s
in

th
e
U
nd
er
w
rit
in
g
G
ui
de
lin
es
C
S
ui
te
R
is
k
R
eg
ul
at
or
y
R
es
is
ta
nc
e
E
ac
h
e
n
d
e
ve
n
t
sh
o
w
n
in
t
h
e
b
o
tt
o
m
re
ct
an
g
u
la
r
b
ox
es
w
ill
h
av
e
it
s
o
w
n
s
er
ie
s
o
f
m
it
ig
at
io
n
a
ct
io
n
s
d
es
ig
n
ed
to
li
m
it
t
h
e
p
o
ss
ib
ili
ty
o
f
o
cc
u
rr
en
ceN
C
C
I
M
is
ca
lc
ul
at
io
n
O
th
er
U
nd
et
ec
te
d
M
an
ag
em
en
t
Fa
ilu
re
s
U
nd
er
w
rit
er
’s
A
na
ly
si
s
is
F
la
w
ed
or
In
co
m
pl
et
e
M
al
fe
as
an
ce
o
r
E
th
ic
al
L
ap
se
s
E
xh
ib
it
11
.7
Pr
ic
in
g
E
rr
or
Fa
ul
tT
re
e
221
www.it-ebooks.info

http://www.it-ebooks.info/

222 Implementing Enterprise Risk Management
It is the policy of WCF senior management to identify risk exposures that represent a potential “material” loss to the Company with an occurrence probability of
“moderate” or higher. Material loss is defined as >5% of specific company surplus, or Departmental budget. In addition, management will identify correlated risks
that, occuring simultaneously, would trigger either of these or an income statement loss greater than 10% of annul premium.
Risk Analysis Worksheet
Date:
Prob. Score Sev. Score Total Score
Company, Department, or Subsidiary:
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
Proposed Action, Product, or Operational Change:
Potential Risks
Incident or expsoure probability descriptions Incident or exposure severity descriptions
Very Low (1): Improbable, no prediction confidence
Low (2): Remote, may occur once every 10-50+ years
Moderate (3): Occasional, may occur once every 3-10 years
High (4): Probable, may occur once every 2-5 years
Very High (5): Frequent, could occur annually
Potential risks scoring 6 or greater must have completed mitigation plans.
Slight Loss (1): Inconsequential with respect to financial, personnel, or brand damage.
Less than 1% of surplus or $10M loss or less
Medium Loss (2): Important financial, personnel, or brand damage; 5% or more of surplus
or $11M-$25M loss.
Material Loss (3): Material damage to financial strength, personnel, or brand; 10% or more
of surplus or a $26M-$50M loss.
Large Loss (4): Significant damage to financial strength, personnel, or brand; 10% more
of surplus or a $51M-$75M loss, could damage stakeholder confidence.
Very High Loss (5): Catastrophic impact on solvency, brand or personnel; 50% or more of
surplus, greater than a $75M loss, would damage stakeholder confidence.
Spaces requiring input are shaded.
Mitigation Plans and Risk Owners (Attach additional documentation as needed)
Expected Value of Action
Implementation Costs
Completed by: Dept. SVP:
Dept. Manager or VP: CEO:
Chief Risk Officer:
Exhibit 11.8 Risk Analysis Worksheet
www.it-ebooks.info

http://www.it-ebooks.info/

STARTING FROM SCRATCH 223
WCF Group—Risk Assessment Framework
February 2014
In order to protect our assets, our employees and our customers, WCF is com-
mitted to excellence and consistency in risk assessment and risk management.
We are creating a risk assessment process that is transparent, scalable and pro-
ductive. An effective process is one that promotes a thorough analysis and pro-
vides a framework for successful execution of the initiative.
Principle Based Format
The following questions should be addressed in a single document for new
ventures or initiatives meeting the risk assessment “trigger”:
1. Why do we need to take this step at this time and what are the expected
costs and benefits?
2. What are the key risks (financial, operational, market, strategic, etc.)
involved in the initiative?
3. How will each risk be mitigated? (Identify the specific controls to be
applied.)
4. What are the most likely outcomes of the venture, as well as, the worst
and best case scenarios?
Examples of initiatives triggering a risk assessment
1. Significant pricing changes, e.g. refiling Loss Cost Modifiers.
2. Legislative initiatives proposed by WCF.
3. Changes in commission structure.
4. IT software or hardware purchases in excess of $500,000.
5. Changes in claim reserving methodology or claims settlement policy.
6. Investment initiatives requiring a change in investment policy and/or
including a commitment of assets of $20,000,000 or more.
7. Other non-investment initiatives requiring a financial commitment
greater than $500,000.
8. Significant changes to our reinsurance structure or policy.
Approval and follow up
1. The risk assessment should be completed prior to the initiative’s pre-
sentation to senior management or the Board for approval with a copy
provided to the Chief Risk Officer.
2. At reasonable milestones, and at the conclusion of the project, the CRO
will follow up with the project leaders to assess:
(A) Are the original goals of the initiative being met?
(B) Are actual costs in line with expected costs?
www.it-ebooks.info

http://www.it-ebooks.info/

224 Implementing Enterprise Risk Management
(C) Are the risk mitigation strategies being executed successfully?
(D) Would we make the same decision if we had it to do over again?
THE FUTURE
At the time of the preparation of this chapter, WCF is analyzing the results of
its second employee survey (see 2013 All-Employee ERM Survey). The questions
in the survey were reviewed with both the IRC and the Board Risk Oversight
Committee prior to the survey, and again, about half of the company’s 300+
employees have responded. WCF is trying to ascertain whether it is truly develop-
ing a risk-sensitive culture and whether it has any barriers to the free expression
of concerns and ideas. This desire for transparency and openness has been clearly
and publicly articulated by both the president and the chairman. Analysis of the
survey results, when completed, will be presented to the board.
2013 All-Employee ERM Survey
� Are there any risks the company faces that you don’t feel are being ade-
quately addressed?
� Do you feel comfortable raising concerns about risk at WCF and do you
feel they will be taken seriously?
� What should be done to help employees carefully consider risks, com-
municate concerns, and take appropriate actions to mitigate risks?
� Are there areas of WCF’s Enterprise Risk Management Program that you
would like to know more about?
� Name (optional)
The question of how much is enough is one WCF continues to grapple with.
For better or worse, it is one in which both its regulator and its rating agency are
giving specific direction as well. In the past couple of years A.M. Best has become
increasingly clear regarding its expectations of the companies it is rating. Speaking
at an industry conference in the spring of 2012, Group Vice President Ed Easop
outlined an approach of generally matching ERM expectations to the general risk
profile of the company. Where a carrier’s ERM risk capabilities did not measure
up to its risk profile, its rating might be notched down or capital requirements
might be raised. If a carrier’s capabilities matched or exceeded its risk profile, more
favorable ratings treatment and lower capital requirements would be likely.
More recently A.M. Best addressed this in greater detail at its annual confer-
ence in March 2013. A.M. Best indicated that although the property-casualty indus-
try is making progress in developing ERM programs, information gleaned from its
supplemental risk questionnaires leaves little doubt that the industry has a long
www.it-ebooks.info

http://www.it-ebooks.info/

STARTING FROM SCRATCH 225
way to go. The rating agency also spelled out in great detail the underlying char-
acteristics of its ERM rating levels of superior, strong, good, and weak in 17 key risk
management areas. WCF will have its annual rating discussion meeting with A.M.
Best in late fall 2013. It will be interesting to receive feedback in those meetings
regarding the rating agency’s perception of the WCF risk profile and the adequacy
of WCF’s efforts to date.
Since 2013, the state regulator, the Utah Department of Insurance, has not
engaged WCF on this subject, but that is expected to change. As a member of the
National Association of Insurance Commissioners (NAIC), it is aware of that orga-
nization’s adoption in September 2012 of the Risk Management and Own Risk and
Solvency Assessment (ORSA) model legislation. This model law is effective for
adoption by state legislatures in 2015. Among other things, the Act requires that
“An insurer shall maintain a risk management framework to assist the insurer with
identifying, assessing, monitoring, managing, and reporting on its material and
relevant risks. This requirement may be satisfied if the insurance group of which
the insurer is a member maintains a risk management framework applicable to
the operations of the insurer.”2 At this time, WCF meets the exemption require-
ment due to premium volume written, but the Act clearly sets out standards of
best practice that should be considered.
Management has committed to, and the board expects, continued develop-
ment of the ERM program and culture. This must be done to a level that matches
WCF’s risks and ensures it will always be able to discharge the long-term respon-
sibilities it has to policyholders and injured workers. The depth and complex-
ity of the ERM program will be determined through discussion and consultation
between management and the board. WCF’s mission is excellence.
QUESTIONS
1. What skill set or industry experience would be most valuable for a CRO to acquire?
2. If a Board has an audit, investment, and risk committee how should they work together
and what would be an appropriate division of duties?
3. Should the CRO’s role be a directing or a counseling one? How would this vary in small,
medium, or large companies?
4. What would the ideal working relationship be between the CRO and CFO?
5. How should the Board and CEO evaluate a CRO’s performance and contribution to the
Company?
NOTES
1. Bradford, Dallas. June 2013. Written comments from WCF Board Chair Dallas Bradford
to author.
2. National Association of Insurance Commissioners. 2012. “Risk Management and Own
Risk and Solvency Assessment Model Act.”
ABOUT THE CONTRIBUTOR
Dan Hair is the Chief Risk Officer (CRO) at Workers Compensation Fund, located
in Utah. He joined WCF in 2005 after a 25-year career with Zenith Insurance
www.it-ebooks.info

http://www.it-ebooks.info/

226 Implementing Enterprise Risk Management
Company. As CRO, Dan is responsible for the enterprise risk management efforts
of WCF and reports to the president and CEO. He works directly with the
board of directors and the Board Risk Oversight Committee. Dan was educated
at UCLA and USC, has an insurance operations and safety engineering back-
ground, and has taught and published in the areas of risk and risk management for
years.
www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 12
Measuring Performance
at Intuit
A Value-Added Component in ERM Programs
JANET NASBURG
Chief Risk Officer, Intuit Inc.
Intuit started small in 1983 with Quicken personal finance software, simplifyinga common household dilemma: balancing the family checkbook. Today, we’veimproved the lives of more than 50 million people, and our annual revenue
exceeds $4 billion. We are publicly traded with the symbol INTU on the NASDAQ
Stock Market, and are regularly recognized as one of the best places to work in
locations around the world.
Our flagship products—QuickBooks, TurboTax, Quicken, and Mint—define
our commitment to revolutionize the way people manage their personal finances,
run small businesses, and pay employees. Our lineup of tax preparation products
helps individuals and small business owners easily and accurately file their own
taxes. And working with accountants, we’ve become a staple of American small
business, with a widespread and deep-rooted presence that’s second to none.
But we’re much more than that. Today, our expanding portfolio serves cus-
tomers in North America, Europe, Singapore, and India. And our products have
evolved from the desktop to the cloud, with many available both online and for
mobile devices.
As the way we live and work evolves, we adapt our strategy to meet and lead
these changes. No matter where you find us—and whether you use our products
on your PC or mobile phone—we remain committed to creating new and easier
ways for consumers and businesses to tackle life’s financial chores, giving them
more time to live their lives and run their businesses. As our business and product
lines grow beyond accounting and into new areas, we will build on our heritage
of innovation. That’s not just our history. It’s our future.
INTUIT’S ERM JOURNEY
Like most companies, Intuit’s enterprise risk management (ERM) journey began
with the practice of risk management on an ad hoc basis. Organized efforts
came into play only when a significant problem occurred. Problems identified
227
www.it-ebooks.info

http://www.it-ebooks.info/

228 Implementing Enterprise Risk Management
were primarily operational in nature and were defined narrowly to the specific
issue. Well-intentioned and committed teams would attack the problem, stopping
everything to focus on and solve the problem. These teams would produce long
lists of issues and potential mitigation steps—some significant and some minor—
to be addressed. Once the immediate problem was solved, it was back to busi-
ness as usual. This ad hoc approach was not only extremely inefficient but was
also not producing a lasting framework that would allow risks to be managed
intelligently. In 2009 Intuit established the foundation of the ERM program that is
in place today. This foundation included an enterprise-wide common risk frame-
work, annual assessment cycle, and integration into the strategic planning process.
At Intuit, our ERM program has focused not simply on building a process
but on building a sustainable risk management capability. Process is a necessary
component, but process alone will not build the capability; it will not ensure that
risk management is an integral part of how the company operates. Establishing
operating mechanisms, practices, and processes that can be maintained well into
the future and drive continuous focus on risk management was an important
first step. Once the process was solidly in place, focus shifted to building risk
management capability. Robust processes for identifying risk, assessing risk, and
monitoring risk management progress helped our business leaders to develop
and implement risk management activities as part of the normal operating pro-
cesses of the company instead of reacting to risk on an ad hoc basis. This regular
rhythm of risk management has built a strong risk management capability across
the company.
Underlying Intuit’s ERM program are some core principles that have brought
Intuit’s program to the leadership level it is at today.
� A common risk framework enterprise-wide.
The establishment of a common risk framework has enabled business lead-
ers to speak about risks with a common language despite the differences in
business lines.
� Assessing risks on an ongoing basis.
A constant lens on the risk landscape increases agility to adapt to changes in
our business and the environment in which we operate.
� Focusing on the most significant risks.
Targeting attention and resources on those risks with the greatest impact on
Intuit’s growth, product delivery, and operations drives progress.
� Clearly defined ownership and accountability for risk management.
With appropriate oversight from the board and executive management,
ownership and accountability for managing risk are the responsibility of
business leaders across the company, thereby aligning ownership with lead-
ers who are driving Intuit’s growth strategy and operational priorities.
� Performance measurement and monitoring.
Continuously monitoring performance drives progress in risk mitigation
and continuously strengthens risk management capability.
Intuit’s ERM program provides our business leaders with an understanding
of current and emerging risks providing insights that inform strategic decisions.
Each year the journey has continued to increase the level of risk intelligence across
www.it-ebooks.info

http://www.it-ebooks.info/

MEASURING PERFORMANCE AT INTUIT 229
the company by building risk management strength and continuously measuring
risk management effectiveness.
ERM MATURITY MODEL
ERM programs take time to establish and mature, and building the right founda-
tion is critical.
Patience is not an absence of action; rather it is “timing”; it waits on the right time
to act, for the right principles and in the right way.
–Fulton J. Sheen
Enterprise risk management programs are designed to drive identification of
risks that may affect a company and management of those risks in order to enable
achievement of the company’s objectives. As the level of risk management capabil-
ity matures, the value of ERM becomes more visible and impactful. The stages of
risk management maturity can be described in many ways, all of which generally
fall into the following levels (see Exhibit 12.1):
� Ad hoc risk management.
Risk Management activities are designed to address a specific problem or
task, and not intended to be adapted for wider application.
� Targeted risk management.
Independent risk management activities are focused on a limited set of
specific risk areas.
� Integrated risk framework.
A common, repeatable enterprise framework is used for assessment, own-
ership and accountability, and reporting of risk management performance.
Ad-hoc
Risk
Management
Targeted
Risk
Management
Integrated
Risk
Framework
Risk Management Capability
S
ta
ke
h
o
ld
er
V
al
u
e
Risk
Intelligent
Risk
Leadership
Exhibit 12.1 Enterprise Risk Management Maturity Model
www.it-ebooks.info

http://www.it-ebooks.info/

230 Implementing Enterprise Risk Management
� Risk intelligent.
Established processes are used to continuously measure and monitor risk
management effectiveness and drive optimal performance.
� Risk leadership.
Risk management is seamlessly embedded in strategic decision making.
The speed at which a company moves through each level of maturity will
vary, as it must be tailored to the individual needs and capacity for change of the
company.
BENEFITS OF MEASURING PERFORMANCE
IN ERM PROGRAMS
Performance measurement is not new. Measuring performance provides insights
into where additional attention may be required or potential opportunities exist.
Understanding the risk landscape enables business leaders to formulate and exe-
cute strategies informed by potential pitfalls and opportunities. The use of mea-
surements to monitor current significant risks, highlight emerging risks, and
understand the impact of both on company strategies and objectives is a key
component of any ERM program.
The type of performance measures used varies based on the objective. Key
risk indicators (KRIs) can be used to understand how potential emerging risks or
trends may impact current risks, business opportunities, and business strategies.
Key performance indicators (KPIs) can be used to measure the effectiveness of risk
management activities. Both of these types of indicators are important, and using
a combination of KRIs and KPIs can increase the value achieved from an ERM
program.
Using Key Performance Indicators to Measure Risk
Management Effectiveness
Key performance indicators are used to measure and monitor business strategies
and business operations. Performance measurement provides information on the
gaps between actual performance and targeted performance. It can be used to
determine organizational effectiveness and operational efficiency. Measuring and
monitoring risk management effectiveness is no different from measuring other
performance. Measures are identified, expected targets or thresholds are estab-
lished, and a starting point or baseline is set. Key performance indicators can take
many forms:
� Qualitative and quantitative indicators.
Qualitative measures are based on subjective characteristics or qualities
rather than on a quantity or measured value. Quantitative measures are
based on objective, quantifiable data, like percentages, counts, and ratios.
The difference between qualitative and quantitative measures can be con-
fusing, and there is often debate over which is better; however, both can be
equally useful, and many times a combination of qualitative and quantita-
tive measures can provide a more holistic picture of performance.
www.it-ebooks.info

http://www.it-ebooks.info/

MEASURING PERFORMANCE AT INTUIT 231
� Leading and lagging indicators.
Leading indicators are predictive in nature, like early warning signals. They
can highlight that an overall change in performance level is expected based
on specific triggers that are monitored. Lagging indicators provide insights
into the success or failure of an activity after it is complete.
� Input, process, and output indicators.
These indicators are useful in evaluating an end-to-end process. Input indi-
cators measure resources used in executing an activity. Process indicators
measure efficiency or productivity. Output indicators measure the result of
the process or activity.
In measuring risk management effectiveness, a combination of indicator types
is often used. The biggest challenge in measuring performance is knowing what
to measure. Selecting performance measures that cannot be gathered and tracked
on an ongoing basis or selecting performance measures that are too complex for
business leaders to understand their relevance will not provide value. To be most
effective, key performance indicators need to be defined so that they are clear,
meaningful, and measurable.
When defining KPIs for ERM, ensuring that the following four characteristics
are incorporated can be helpful:
� Tangible.
Tangible performance measures, aligned with the level of risk exposure that
the company deems acceptable, provide true measures of risk management
effectiveness, not just milestones in a risk management plan.
� Flexible.
Flexible performance measures that can be adjusted to changes in the
organization and risk landscape.
� Standardized.
Common performance measures used enterprise-wide that provide a view
of how each business line’s performance contributes to the aggregated risk
exposure at the enterprise level.
� Outcome or objective focused.
Performance measures that are aligned to a specific objective or desired
outcome.
Exhibit 12.2 provides some examples of key performance indicators.
Exhibit 12.2 Key Performance Indicators
Examples of Key Performance Indicators
Percentage of customer attrition
Percentage of employee turnover
Profitability of customers by demographic segments
Percentage of mission-critical business processes with tested contingency plans
Current-period write-offs or fraud losses
www.it-ebooks.info

http://www.it-ebooks.info/

232 Implementing Enterprise Risk Management
Analyzing Performance Data
Performance measurement alone is not enough to add value; learning from the
information and applying that learning to drive changes that improve perfor-
mance are important steps. Optimizing the benefits of performance measurement
can be achieved by performing analysis of the data collected. Data analysis trans-
forms the performance information making it useful input, which can help busi-
ness leaders to make better risk-informed decisions. There are many types of anal-
ysis that can be used, and the choice will vary based on the objectives of the
analysis.
While this list is not exhaustive, here are some examples of commonly used
analyses:
� Failure mode and effects analysis (FMEA).
FMEA helps to identify potential failure points based on certain conditions.
The consequences of failures are further analyzed to understand their impact
on other parts of a system or process. FMEA can help to design more com-
prehensive risk mitigation efforts.
� Regression analysis.
Regression analysis provides information on the relationship between one
dependent variable and one or more independent variables. This type of
analysis can be helpful in understanding the correlation between different
risks.
� Pareto analysis.
Pareto analysis measures the frequency of issues, from most to least fre-
quent. This type of analysis is useful in making decisions that provide the
greatest results—for example, targeting resources to address issues in a spe-
cific component of a process with the greatest number of errors or control
failures.
� Root cause analysis.
Root cause analysis is designed to identify and correct the fundamental
cause of a problem. It helps focus remediation not on merely correcting
symptoms but on preventing the recurrence of problems. This type of anal-
ysis is especially useful as a method to proactively forecast probable events
before they occur.
� Scenario analysis.
Scenario analysis uses discrete scenarios to understand the potential out-
come. Typically the worst case, best case, and most likely case are consid-
ered. Single-point estimates or a Monte Carlo simulation model using a
range of values can be used. This type of analysis is useful to enhance readi-
ness and strengthen response capabilities.
� Benchmarking.
Benchmarking compares a company’s current practices to best practices.
This type of analysis facilitates development of strategies to improve pro-
cesses and performance measures.
� Threat analysis.
Threat analysis can be used to evaluate a broad spectrum of areas such as
natural disasters, criminal activity, legal or regulatory factors, technology
www.it-ebooks.info

http://www.it-ebooks.info/

MEASURING PERFORMANCE AT INTUIT 233
trends, internal capabilities, and market forces. Using this type of anal-
ysis to gain insights into potential threats is useful to enhance readiness
and strengthen response capabilities, as well as to enhance risk mitigation
strategies.
Analyses such as these can be used to perform a deep review of a specific risk
area to understand effectiveness of current risk mitigation strategies, or can be used
broadly to understand potential emerging risks.
Using Key Risk Indicators to Understand Potential New Risks
or Changing Risks
Most organizations use key performance indicators to monitor progress in meet-
ing corporate objectives. Those indicators provide valuable information, includ-
ing insights into risks. However, key performance indicators primarily provide
insights into risks already well known by the organization. With ever-changing
business environments challenging companies to take a longer-term view into
potential risks, there is increased focus on understanding emerging risks. Key risk
indicators are used to provide an early warning signal by not just looking at current
risks but looking for leading indicators or triggers in the business environment.
These triggers can be used to develop strategies that better position the company
to manage new risks as they arise. Development of risk indicators can come from
analysis of previous risk events to understand their root cause and triggers that
can be used in the future as risk indicators. External information, such as economic
indicators, industry benchmarks and trends, competitor actions, and the like, can
all be utilized in developing key risk indicators. Just as with key performance indi-
cators, key risk indicators are most effective if they are tangible, flexible, standard-
ized, and outcome or objective focused.
Exhibit 12.3 provides some examples of key risk indicators.
Exhibit 12.3 Key Risk Indicators
Examples of Key Risk Indicators
Industry trends in customer attrition
Frequency of critical process failures
Trends in gasoline or other critical commodity prices in relevant geographies
Unexpected significant change in number of competitors or suppliers
Spreads on debt for comparably rated companies
ERM PERFORMANCE MEASUREMENT AND
REPORTING AT INTUIT
Performance measurement in Intuit’s ERM program has been a journey of con-
tinuous improvement. As ERM programs mature over time, increasing their com-
plexity and value, performance measures and reporting must evolve as well. What
gets measured at each level of maturity may vary greatly. The ERM performance
www.it-ebooks.info

http://www.it-ebooks.info/

234 Implementing Enterprise Risk Management
measurement approach at Intuit has been continuously updated to keep it relevant
and flexible with respect to the organization’s level of risk management maturity.
At each stage in the evolution of ERM maturity, objectives and expectations are
adjusted. In addition, the appropriateness of current metrics is evaluated given
the constantly changing business environment.
First Evolution: ERM Process Adoption
In the early stages of ERM maturity at Intuit, performance measurement was
focused on adoption of the ERM process. The objective was to ensure a robust
process of risk identification and prioritization facilitating focus on the most sig-
nificant risks. The measures at this point were twofold: process participation and
risk assessment impact and likelihood. Reporting to executive management and
the board included the results of the annual assessment, participation rates and
heat maps, as well as an outline of strategies to improve the company’s top
risks.
ERM Process Participation
Participation in the process was targeted at senior leadership at both the company
and business line levels. Business line leadership provided subject matter expertise
and insights into the most significant risks facing their specific businesses. Exec-
utive management provided an enterprise perspective. The desired participation
rate target was 80 percent or greater. Participation rates were calculated at the
individual business line level as well as at the company level. This may seem like
a very simplistic measure, but you need to consider the level of risk management
maturity that was in place at this point. Expecting business leaders to track com-
plex measures when they are just beginning to build a risk management capability
may be unrealistic. Measuring participation in the ERM process provided an
indicator of risk awareness and risk management currently in place. This was an
important benchmark. Since performance measurement provides information on
the gaps between actual performance and targeted performance, this measure
highlighted opportunities to help business leaders increase their risk focus and
knowledge.
Risk Impact and Likelihood
Intuit’s ERM program, like many other companies’ programs, includes an annual
risk assessment. The annual risk assessment provides an enterprise-wide under-
standing of key risks. Intuit conducts risk assessments at both the company level
and on an individual business line level. The assessment solicits information
from the company’s executive management on the impact and likelihood of risks
affecting the organization’s strategies and objectives. Measuring impact and like-
lihood is clearly defined and standardized, facilitating aggregation of the informa-
tion received from participants across the company. Heat maps, as illustrated in
Exhibit 12.4, are used to show the results of the assessment, and attention is then
focused on the risks in the upper right-hand quadrant.
www.it-ebooks.info

http://www.it-ebooks.info/

MEASURING PERFORMANCE AT INTUIT 235
6 5
4
3
2
1
Likelihood
Im
p
ac
t
Low
L
o
w
High
H
ig
h
Exhibit 12.4 Risk Impact and Likelihood Diagram
This type of performance measurement and reporting provided many benefits,
including:
� Helping business leaders to understand the effect of risks on performance
against strategic goals and objectives
� Targeting focus to the critical few, and in doing so accelerating progress on
addressing these risks
� Identifying potential events or circumstances that may impede ability to
optimize performance
Second Evolution: Risk Mitigation Progress Measurement
With the rhythm of an annual ERM assessment in place and top risks at the com-
pany and business line level appropriately prioritized, the focus shifted to build-
ing risk management strength. The objective was to ensure direct alignment of risk
management activities and resources to the most critical issues identified as part of
the assessment process. The focus of performance measurement was one of the top
risks identified at the company and business line levels. Ownership and account-
ability for the top risks are specifically designated to a senior leader at the company
level or business line level. Performance measurement includes an indicator of the
status of overall risk exposure, an indicator of current risk trending, as well as a
separate measure tracking the progress on individual risk mitigation activities.
Exhibit 12.5 provides an example of the levels of status indicators.
Quarterly ERM performance reporting is integrated into Intuit’s annual enter-
prise and business line strategic planning process and quarterly operating reviews.
Exhibit 12.6 provides a sample business line top risk status report.
www.it-ebooks.info

http://www.it-ebooks.info/

236 Implementing Enterprise Risk Management
Color Status of Risk Exposure Plan Status
Plan significantly at risk.
Some mitigation in place, stronger additional mitigation needed. Plans developed and some
risk reduction occurring.
Managed well with appropriate mitigation in place. Risk has been reduced to an acceptable level.
Status not available.
N/A
Missing or ineffective mitigation and/or significant process breakdowns. Further action required.
Plan potentially at risk.
Plan not started.
Plan complete.
Plan on schedule.
Exhibit 12.5 Example of Levels of Status Indicators
This type of performance measurement and reporting provides many benefits,
including:
� Demonstrating the breadth of top risk coverage with defined risk manage-
ment plans
� Highlighting potential gaps in resources to execute mitigation activities
� Providing transparency to risk management activities across the organiza-
tion and opportunities to leverage common risk management strategies and
best practices
Exhibit 12.6 Sample Business Line Top Risk Status Report
www.it-ebooks.info

http://www.it-ebooks.info/

MEASURING PERFORMANCE AT INTUIT 237
Risk 1
Status
Status as of x period
KPI/KRI 1 KPI/KRI 2 KPI/KRI 3 KPI/KRI 4 KPI/KRI 5 KPI/KRI 6 Overall
Business Line 1
Business Line 2 Not measured
Business Line 3
Business Line 4
Business Line 5
Business Line 6
Business Line 7 Not measured
KPI / KRI 1 rating criteria example
Medium Gray: ≤ X …………
Light Gray: Between x and x ………
Dark Gray: > x …………………
Exhibit 12.7 Sample Executive Dashboard
Third Evolution: Multidimensional Risk Management
Performance Measurement
As Intuit’s program evolved, performance measurement and reporting focus
moved from tracking progress on risk mitigation to a more holistic approach. The
objective was to actively monitor the most important risks facing the company
and ensure that business leaders were proactively adjusting strategies to balance
managing these risks and leveraging the opportunities they provide. To this end,
executive dashboards were developed, which use a combination of key perfor-
mance indicators and key risk indicators. Aggregation of a number of different
KPIs provides a multidimensional view of risk and an overall risk score. Standard
metrics are used enterprise-wide to ensure that all business lines are aligned to the
objectives. Additionally, an overall risk rating is assigned that demonstrates the
collective effect of these activities on the risk exposure at the company level. Dash-
boards for each of the company’s top risks and an overall summary are routinely
reported to the board and executive management. Exhibit 12.7 provides a sample
executive dashboard.
This type of performance measurement and reporting has provided many ben-
efits, including:
� Providing visibility into business line risks to aid understanding of the
cumulative impact of these risks on Intuit as a whole
� Enabling the company to drive focus and allocate resources to the highest-
impact work, and to accelerate progress on specific risks by leveraging a
rigorous program from the center and coordinated business line effort
www.it-ebooks.info

http://www.it-ebooks.info/

238 Implementing Enterprise Risk Management
From:
• Tactical activities to
address current gaps
• Narrow scope
• Long road maps
To:
• Better understanding of the
risks and their effect on
company growth
• Longer term view of
strategies to address risk,
with tighter timelines to
accelerate progress
• Embrace Innovation
Exhibit 12.8 From Tactical Risk Management to Strategic Risk Management
� Driving the development and adoption of enterprise standards and best
practices (e.g., hosting principles, security standards, technology principles)
As Intuit’s ERM program, and the approach to performance measurement and
reporting, has matured, we have a higher bar for risk management—it is more
strategic, and we have significantly improved execution. We have moved from
tactical risk management to strategic risk management, as shown in Exhibit 12.8.
CONCLUSION
This chapter has described the value of performance measurement as a component
of ERM programs.
At Intuit, risk management is the responsibility of everyone in the organiza-
tion, from the board and executive management all the way down to the individual
employees. To ensure that risk management is effective, it must be a core business
competency, and measuring performance facilitates tracking that the appropriate
level of competency is achieved.
Intuit’s ERM program provides a rigorous and coordinated approach to assess-
ing and responding to risks. It recognizes the upside opportunity and downside
nature of risks. Routine performance measurement is a critical component of the
program and not only ensures a focus on the most significant risks but also accel-
erates progress on managing current and emerging risks and assuring alignment
with strategic goals.
Performance is reviewed regularly with the Audit and Risk Committee of
the board, and, as a result, feedback drives continuous innovation around per-
formance measurement and reporting. ERM is viewed as an integral part of the
company’s current operating model, and continuously improves enterprise-wide
risk awareness, monitoring, and management.
QUESTIONS
1. How do Key Risk Indicators help companies identify emerging risks?
2. How do Key Performance Indicators help companies to manage existing risks?
www.it-ebooks.info

http://www.it-ebooks.info/

MEASURING PERFORMANCE AT INTUIT 239
3. If measuring performance is not a component of an ERM program, what is the effect on
the overall quality of the program?
4. How can the Board be confident in the information reported on management’s progress
in responding to significant risks?
ABOUT THE CONTRIBUTOR
Janet Nasburg is Chief Risk Officer at Intuit, makers of QuickBooks, TurboTax,
Quicken, and Mint. Intuit is committed to revolutionizing the way people man-
age their small businesses and personal finances. Ms. Nasburg is responsible for
driving Intuit’s enterprise risk management capability to ensure that the company
appropriately balances opportunities and risks to achieve optimal business results.
She reports routinely to the board of directors on the company’s risk landscape,
risk tolerance, and emerging risks.
Ms. Nasburg has more than 30 years of experience in finance and risk manage-
ment. She is on the executive committee of the Conference Board’s Strategic Risk
Management Council, and is also a member of the Institute of Internal Auditors.
She is a Certified Internal Auditor (CIA), Certified in Risk Management Assur-
ance (CRMA), and Certified in Control Self Assessment (CCSA). She has a BS in
agricultural economics and business management from the University of Califor-
nia, Davis, and an MBA in finance from the Graduate School of Business, San
Francisco State University.
www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 13
TD Bank’s Approach
to an Enterprise Risk
Management Program
PAUL CUNHA
Vice President, Enterprise Risk Management for TD Bank Group
KRISTINA NARVAEZ
President and Owner of ERM Strategies, LLC
This case study focuses on how TD Bank Group uses enterprise risk manage-ment (ERM) to grow profitably while keeping in mind the balance betweentaking and managing its risks. TD recognizes that having a strong risk
culture and approach to risk management is fundamental to success. TD’s ERM
approach is comprehensive and proactive. It combines the experience and special-
ized knowledge of individual business segments, risk professionals, and the cor-
porate oversight functions. It is based on enabling TD’s business to understand the
risks it faces and to develop the policies, processes, and controls required to man-
age them appropriately in alignment with the bank’s strategy and risk appetite.
BACKGROUND
Headquartered in Toronto, Canada, with more than 85,000 employees in offices
around the world, TD and its subsidiaries offer a full range of financial products
and services to approximately 22 million customers worldwide through three key
business lines:
1. Canadian retail, including TD Canada Trust, TD Auto Finance Canada,
Canadian credit cards, Canadian wealth, and TD Insurance
2. Wholesale Banking, including TD Securities
3. U.S. retail, including TD Bank (“America’s Most Convenient Bank”), TD
Auto Finance U.S., U.S. wealth, and U.S. credit cards
As of April 30, 2014, TD had $896 billion (Canadian) in assets. TD also ranks
among the world’s leading online financial services firms, with approximately
eight million active online and mobile customers. It is the second-largest bank in
241
www.it-ebooks.info

http://www.it-ebooks.info/

242 Implementing Enterprise Risk Management
Canada and the tenth-largest bank in the United States (by market capitalization).
TD trades on the Toronto Stock Exchange and New York Stock Exchange under
the symbol “TD.”
ERM at TD Bank
TD’s risk management approach is comprehensive with TD Bank’s Enterprise Risk
Framework (ERF), reinforcing TD’s risk culture and ensuring that all stakeholders
have a common understanding of how TD manages risk. The ERF addresses: (1)
the nature of the risks to TD’s business strategy and operations; (2) how TD defines
the types of risk it is exposed to; (3) risk management governance; and (4) how TD
manages risk through processes that identify, measure, assess, control, and moni-
tor risk. TD’s risk management resources and processes are designed to enable all
of its businesses to understand the risks they face and to manage them within TD’s
risk appetite.
TD’s Risk Appetite Statement is the primary means used to communicate how
TD views risk and determines the risks it is willing to take in order to grow its busi-
ness. TD takes into account its mission, vision, guiding principles, and strategy, as
well as risk philosophy and capacity to bear risk, in defining its risk appetite.
TD takes risks required to build its business, but only if those risks:
� Fit its business strategy, and can be understood and managed
� Do not expose the enterprise to any significant single-loss events
� Do not risk harming the TD brand
In applying its risk appetite, TD considers both the current conditions in which
it operates and the impact that emerging risks will have on TD’s strategy and risk
profile. Adherence to the enterprise risk appetite is managed and monitored across
TD and is based on a broad collection of principles, policies, processes, and pro-
cedures, including risk appetite statements and related performance measures for
major risk categories and the business segments.
At the enterprise level, metrics are tracked against key risks like capital ade-
quacy, market risk, liquidity risk, credit risk, and operational risk. These metrics
and compliance with the Risk Appetite Statement are monitored and reported by
risk dashboards on an ongoing basis. To ensure that TD Bank’s Risk Appetite State-
ment remains current and relevant, TD has established a Risk Appetite Governance
Framework approved annually by the Risk Committee of the Board (RCoB). This
framework describes TD’s processes, structure, and responsibilities to develop,
govern, and approve the Enterprise and Business Segments Risk Appetite State-
ments and the requirements for monitoring and escalating exceptions. Specifically,
the governance process provides that:
� The Enterprise and Business Segments Risk Appetite Statements and related
metrics must be reviewed at least annually.
� Updates and amendments are developed by Risk Management with input
from business segments, corporate functions, the senior executive team, and
the RCoB.
www.it-ebooks.info

http://www.it-ebooks.info/

TD BANK’S APPROACH TO AN ENTERPRISE RISK MANAGEMENT PROGRAM 243
� The TD Enterprise Risk Appetite Statement and related metrics must be
reviewed and approved by the RCoB annually.
� The Business Segment Risk Appetite Statements must be recommended by
each of the Business Group heads and approved by the president and chief
executive officer (CEO) and chief risk officer (CRO) annually.
� Performance against the Enterprise and Segment Risk Appetite Statements
must be monitored and reported on an ongoing basis.
Understanding an Organization’s Risks Helps Reinforce
the Risk Culture
Each of the ERF’s components reinforces the desired risk culture of TD Bank, and
they are all equally necessary to ensure that TD successfully manages its risk. The
ERF sets the direction of how TD manages enterprise risk. The TD Risk Inventory
sets out TD’s major risk categories and related subcategories to enable a consistent
language and approach to measuring, reporting, and disclosing TD’s risks. This
inventory of risks facilitates consistent enterprise risk identification and becomes
the starting point to develop the appropriate risk strategies and processes to man-
age TD’s risk exposure. Definitions of common terms include:
Strategic risk is the potential for financial loss or reputational damage arising
from ineffective business strategies, improper implementation of business
strategies, or a lack of responsiveness to changes in the business environ-
ment. The CEO manages strategic risk supported by the members of the
senior management team. Together they define the overall strategy, in con-
sultation with and subject to approval by the board.
Credit risk is the risk of loss if a borrower or counterparty in a transaction
fails to meet its agreed payment obligations. Credit risk is one of the most
significant and pervasive risks in the banking sector. Every loan, exten-
sion of credit, or transaction that involves transfer of payments between
TD and other parties or financial institutions exposes TD to some degree
of credit risk. The responsibility of credit risk management is enterprise-
wide. Each business segment’s credit risk control unit is primarily respon-
sible for credit decisions and must comply with established policies, expo-
sure guidelines, and credit approval limits.
Market risk is the risk of loss in financial instruments or the balance sheet
due to adverse movements in market factors such as interest and exchange
rates, prices, credit spreads, volatilities, and correlations. TD is exposed to
market risk in its trading and investment portfolios, as well as through
its nontrading activities. The primary responsibility for managing market
risk in trading activities lies with Wholesale Banking with oversight from
Market Risk Control within Risk Management.
Liquidity risk is the risk of having insufficient cash or collateral resources
to meet financial obligations without raising funds at unfavorable rates
or being unable to sell assets at a reasonable price in a timely manner.
Demand for cash can arise from deposit withdrawals, debt maturities, and
www.it-ebooks.info

http://www.it-ebooks.info/

244 Implementing Enterprise Risk Management
commitments to provide credit or liquidity support. The Asset/Liability
and Capital Committee oversees the liquidity risk management program.
Operational risk is the risk of loss resulting from inadequate or failed internal
processes, people, and systems or from external events. Operational risk
is embedded in all of the bank’s business activities, including the prac-
tices for managing other risks such as credit, market, and liquidity risk.
Operational Risk Management is an independent function that designs
and maintains TD’s overall operational risk management framework. This
framework sets out the enterprise-wide governance processes, policies,
and practices to identify, assess, report, mitigate, and control operational
risks.
Insurance risk is the risk of financial loss due to actual experience emerging
differently from expected in insurance product pricing or reserving. This
could be due to adverse fluctuations in timing, actual size, and/or fre-
quency of claims mortality, morbidity, policyholders’ behavior, or asso-
ciated expenses incurred. Senior management within the insurance busi-
ness units has primary responsibility for managing insurance risk with
oversight by the Chief Risk Officer for Insurance, who reports into Risk
Management.
Legal, regulatory, and compliance risk is the risk of negative impact to busi-
ness activities, earnings or capital, regulatory relationships, or reputation
as a result of failure to comply with or to adapt to current and chang-
ing regulations, laws, industry codes, rules, or regulatory expectations.
Legal risk includes the potential for civil litigation or criminal or regula-
tory proceedings being commenced against the bank that, once decided,
could materially and adversely affect its business, operations, or financial
condition. Business segments and corporate areas are responsible for man-
aging day-to-day regulatory and legal risk, while the Legal, Compliance,
Global Anti-Money Laundering, and Regulatory risk groups assist them
by providing advice and oversight.
Capital adequacy risk is the risk of insufficient capital available in relation
to the amount of capital required to carry out the bank’s strategy and to
satisfy regulatory capital adequacy requirements. Capital is held to protect
the viability of the bank in the event of unexpected financial losses. The
board of directors has the ultimate responsibility for overseeing adequacy
of capital and capital management. The board reviews the adherence to
capital limits and targets, and reviews and approves the annual capital
plan and the Capital Management Policy.
Reputational risk is the potential that stakeholder impressions, whether true
or not, regarding an institution’s business practices, actions, or inactions,
will or may cause a decline in the institution’s value, brand, liquidity,
or customer base. TD Bank’s enterprise-wide Reputational Risk Manage-
ment Policy is approved by the Risk Committee of the Board. This pol-
icy sets out the framework under which each business unit is required
to implement a reputational risk policy and procedures. These include
designating a business-level committee to review reputational risk issues
and to identify issues to be brought to the Enterprise Reputational Risk
Committee.
www.it-ebooks.info

http://www.it-ebooks.info/

TD BANK’S APPROACH TO AN ENTERPRISE RISK MANAGEMENT PROGRAM 245
Risk Governance Structure
TD’s risk governance structure emphasizes and balances strong central oversight
and control of risk with clear accountability for, and ownership of, risk within each
business unit. Under TD’s approach to risk governance, the business owns the risk
that it generates and is responsible for assessing risk, designing and implementing
controls, and monitoring and reporting its ongoing effectiveness to safeguard TD
from exceeding its risk appetite.
TD’s risk governance model includes a senior management committee struc-
ture to support transparent risk reporting and discussion with overall risk and
control oversight provided by the board and its committees. The CEO and Senior
Executive Team determine TD’s long-term direction within the bank’s risk appetite
and apply it to the businesses. Risk Management, headed by the Group head and
chief risk officer (CRO), sets enterprise risk strategy and policy and provides inde-
pendent oversight to support a comprehensive and proactive risk management
approach for TD.
TD employs a “three lines of defense” model that describes the roles of the
business, governance, risk, and oversight groups in managing TD Bank’s risk pro-
file. The first line of defense is the business and corporate line of accountabilities
and includes the following:
� Managing and identifying risks in day-to-day activities
� Ensuring that activities are within TD’s risk appetite and risk management
practices
� Designing, implementing, and maintaining effective internal controls
� Monitoring and reporting on the risk profile
The second line of defense deals with setting standards and challenging busi-
ness assumptions to improve governance, risk, and control groups’ responsibilities
and accountability. These include the following:
� Establishing enterprise governance, risk, and control strategies and practices
� Providing oversight and independent challenge to the first line through
review, inquiry, and discussion
� Developing and communicating governance, risk, and control policies
� Providing training, tools, and advice to support policy compliance
� Monitoring and reporting on compliance with risk appetite and policies
The third line of defense is independent assurance through the internal audit
department, which allows for the following:
� Verifying independently that TD’s ERF is operating effectively
� Validating the effectiveness of the first and second lines of defense in fulfill-
ing their mandates and managing the risk profile
The RCoB oversees TD’s risk direction and the implementation of an
effective risk management culture and internal control framework across the
www.it-ebooks.info

http://www.it-ebooks.info/

246 Implementing Enterprise Risk Management
enterprise. In support of this oversight, the RCoB reviews, challenges, and
approves certain risk policies while also reviewing and approving TD’s Risk
Appetite Statement.
TD’s executive committees provide oversight at the most senior level and
support management by guiding, challenging, and advising executive decision
makers. The following committees oversee governance, risk, and control activities
relating to the bank’s key risks, and review and monitor the risk strategies and
associated risk activities and practices:
� The Enterprise Risk Management Committee oversees the management of
major enterprise governance and risk and control activities.
� The Asset/Liability and Capital Committee (ALCO) oversees the manage-
ment of TD’s nontrading market risk and each of its consolidated liquidity,
funding, investments, and capital positions.
� The Operational Risk Oversight Committee oversees the strategic assess-
ment of TD’s governance, control, and operational risk structure.
� The Disclosure Committee ensures that appropriate controls and procedures
are in place and operating to permit timely accurate, balanced, and compli-
ant disclosure to regulators, shareholders, and the market.
� The Reputational Risk Committee ensures that corporate or business ini-
tiatives with significant reputational risk profiles have received adequate
review for reputational risk implications prior to implementation.
The Risk Management function, headed by the CRO, provides independent
oversight of risk governance and control, and is responsible for establishing
risk management strategy, policies, and practices. Risk Management’s primary
objective is to support a comprehensive and proactive approach to risk man-
agement that promotes a strong risk management culture. Risk Management
works with the business segments and other corporate oversight groups to estab-
lish policies, standards, and limits that align with TD’s risk appetite, and moni-
tors and reports on existing and emerging risks and compliance with TD’s risk
appetite.
Each business segment has an embedded risk management function that
reports directly to a senior risk executive, who in turn reports to the CRO. This
structure supports an appropriate level of central oversight while emphasizing
ownership and accountability for risk within the business segment. Business man-
agement is responsible for recommending the business-level risk appetite and met-
rics, which are reviewed and challenged as necessary by Risk Management and
ultimately approved by the CEO.
TD’s audit function provides independent assurance to the board of the
effectiveness of risk management, control, and governance processes, employed
to ensure compliance with TD’s risk appetite. Internal Audit reports on its
evaluation to management and the RCoB. The Compliance group establishes
risk-based programs and standards to proactively manage known and emerging
compliance risks across TD to provide independent oversight and delivers oper-
ational control processes to comply with the applicable legislation and regulation
requirements.
www.it-ebooks.info

http://www.it-ebooks.info/

TD BANK’S APPROACH TO AN ENTERPRISE RISK MANAGEMENT PROGRAM 247
The Global Anti Money Laundering (AML) group establishes a risk-based pro-
gram and standards to proactively manage known and emerging money launder-
ing compliance risks across TD. The AML group provides independent oversight
and delivers operational control processes to comply with the applicable legisla-
tion and regulatory requirements. The Treasury and Balance Sheet Management
(TBSM) group manages, directs, and reports on TD’s capital and investment posi-
tions, interest rate risk, liquidity and funding risks, and the market risks of TD’s
nontrading bank activities. The Risk Management function oversees TBSM’s capi-
tal and investment activities.
Risk Identification, Assessment, and Reporting
TD applies the following principles to how it manages risks:
� Enterprise-wide in scope. Risk management spans all areas of TD, including
third-party alliances and joint venture undertakings and all boundaries, both
geographic and regulatory.
� Transparent and effective communication. Matters relating to risk are commu-
nicated and escalated in a timely, accurate, and forthright manner.
� Enhanced accountability. Risks are explicitly owned, understood, and actively
managed by business management and all employees, individually and col-
lectively.
� Independent oversight. Risk policies, monitoring, and reporting will be estab-
lished independently and objectively.
� Integrated risk and control culture. Risk management discipline is integrated
into TD’s daily routines, decision making, and strategy.
� Strategic balance. Risks are managed to an acceptable level of exposure, rec-
ognizing the need to protect and grow shareholder value.
Risk identification and assessment are focused on recognizing and under-
standing existing risks, risks that may arise from new or evolving business ini-
tiatives, and emerging risks from the changing environment. TD looks to establish
and maintain integrated risk identification and assessment processes that enhance
the understanding of risk interdependencies, consider how risk types interact, and
support the identification of emerging risks.
Depending on the risk type, the risk identification and assessment process may
be developed and/or controlled by the business segment with oversight provided
by Risk Management, or it may be controlled by a function within Risk Manage-
ment. For example, credit risk assessment processes developed by a business seg-
ment exist for both retail and nonretail clients. The nature of those processes may
vary by and/or within a business segment depending on the specific nature of the
risk. Risk Management’s role in these processes is to provide oversight and chal-
lenge to ensure that the analysis and results produced by the process focus on the
relevant issues.
Other risk assessment identification and assessment processes that can and/or
need to be applied on a consistent basis across TD have been developed by Risk
Management at the enterprise level. Examples of such processes would include the
Risk and Control Self-Assessment (RCSA) report, the Emerging Risk Identification
www.it-ebooks.info

http://www.it-ebooks.info/

248 Implementing Enterprise Risk Management
process, scenario analysis and stress testing, and the Internal Capital Adequacy
Assessment Process (ICAAP).
Risk Measurement
The ability to quantify risks is also a key commitment of TD’s risk management
processes. These processes align with regulatory requirements for capital ade-
quacy, leverage ratios, liquidity measures, stress testing, and maximum credit
exposure guidelines. TD has a process in place to quantify risks to provide accurate
and timely measurements of the risks it assumes.
In quantifying risk, TD uses various risk measurement methodologies, includ-
ing value at risk (VaR) analysis, scenario analysis, stress testing, and limits. Other
examples of risk measurements include credit exposures, provision for credit
losses, peer comparisons, trending analysis, liquidity coverage, and capital ade-
quacy metrics. TD also conducts structured Risk and Control Self-Assessment
(RCSA) programs and monitors internal and external risk events. This allows TD
to identify, escalate, and monitor significant risk issues as needed.
TD’s Enterprise-Wide Stress Testing involves the development, application,
and assessment of severe but plausible stress scenarios on earnings, liquidity, and
capital of the bank. It enables senior management and the board and its commit-
tees to identify and articulate enterprise-wide risks and understand potential vul-
nerabilities for TD. It informs and supports risk appetite, capital adequacy, and
liquidity requirements, providing a framework to assess emerging, concentration,
and contagion risks.
Risk Control
TD’s risk control processes are established and communicated through risk com-
mittees and approved policies, procedures, and control limits. Policies are used
as a key risk control tool to provide consistency, predictability, and alignment
with risk appetite by communicating the principles, rules, and limits to guide and
determine decisions and behaviors. TD’s Policy Governance Framework provides
a common structure and requirements for the consistent development, implemen-
tation, approval, and management of policy at TD.
TD’s approach to risk control includes risk and capital assessments to
appropriately capture key risks in TD’s measurement and management of cap-
ital adequacy. This involves the review, challenge, and endorsement by senior
management committees of the ICAAP practices. The Internal Control Frame-
work describes enterprise principles governing internal control and management
accountability to own and manage risk across the enterprise by practicing ongo-
ing risk and control self-assessment; designing, implementing, and monitoring the
effectiveness of a comprehensive program of internal control; and responding in a
timely manner to control weaknesses identified by management, governance, risk
and control groups, Internal Audit, or other parties.
In recognition of the importance of technology risk control and management,
TD has established the Technology Risk Management and Information Security
Program, which is designed to reduce business risk with technology controls, and
to protect the bank, its customers, and its employees. This enterprise-wide program
www.it-ebooks.info

http://www.it-ebooks.info/

TD BANK’S APPROACH TO AN ENTERPRISE RISK MANAGEMENT PROGRAM 249
is delivered through governance and policy setting, along with the Technology
Risk Assessment and Control Framework that generates awareness, communica-
tions and ongoing assessments, information security architecture and strategy, and
vulnerability and incident management.
Risk Monitoring and Reporting
TD monitors and reports on risk levels on a regular basis to senior management,
the RCoB, and the board. Complementing regular risk monitoring and reporting,
ad hoc risk reporting is provided as appropriate for new and emerging risk or any
significant changes to the bank’s risk profile. Risk-specific reporting is also in place
as described in the relevant risk-specific frameworks.
TD’s risk dashboards provide a comprehensive quantitative and qualitative
assessment of key risk types across the enterprise. The risk dashboards reflect
established guidelines and risk tolerance based on TD policies that encompass key
aspects of risk to the businesses.
TD measures management’s performance against risk appetite using the Risk
Appetite Scorecard, which is a consolidated assessment of enterprise and busi-
ness segment risk performance measured against risk appetite metrics. In com-
pleting the Risk Appetite Scorecard, TD Risk Management assesses various fac-
tors to determine whether the bank takes risks consistent with the Risk Appetite
Statement and whether the risk level changed in the businesses as a result of man-
agement actions or external factors. This annual assessment of management’s per-
formance against TD’s risk appetite is used as a key input into compensation deci-
sions.
Extensive external reporting is produced to comply with legal and regulatory
requirements. TD also discusses the ERF and related risk management practices
in the Management Discussion and Analysis (MD&A) section of its annual report.
All forward-looking statements to external stakeholders included in the MD&A
are, by their very nature, subject to inherent risks and uncertainties, general and
specific, which may cause the bank’s actual results to differ materially from the
expectations expressed in the forward-looking statements.
CONCLUSION
TD Bank’s earnings are affected by the general business and economic conditions
in Canada and the United States. These conditions include short-term and long-
term interest rates, inflation, fluctuations in debt and capital markets, consumer
debt levels, government spending, exchange rates, the strength of the economy,
threats of terrorism, civil unrest, the effects of public health emergencies, the effects
of disruptions to public infrastructure, and the level of business conducted in the
regions where the bank operates.
TD Bank employs an ERM framework that emphasizes and balances central
oversight and control of risk with clear accountability for and ownership of risk
within each business segment. TD’s approach to ERM is based on six key princi-
ples: enterprise-wide in scope, transparent and effective communication, enhanced
accountability, independent oversight, integrated risk and control culture, and
strategic balance.
www.it-ebooks.info

http://www.it-ebooks.info/

250 Implementing Enterprise Risk Management
QUESTIONS
1. How does an ERM program help an organization to better understand their risk culture?
2. How would you describe TD Bank’s risk profile to a financial analyst on Wall Street?
3. What are the determining factors in deciding which risks TD can take?
4. How does TD measure the risks in their organization?
REFERENCES
TD Bank. 2012. ERM Framework, June.
TD Bank. 2012. Management and Decision Analysis Report.
ABOUT THE CONTRIBUTORS
Paul Cunha is Vice President, Enterprise Risk Management, at TD Bank. He grad-
uated from Wilfrid Laurier University with an honors bachelor of business admin-
istration and is a CFA charterholder. During his career at TD Bank, he has spent
time in risk management, internal audit, retail banking, commercial banking, and
corporate and investment banking.
Kristina Narvaez is the president and owner of ERM Strategies, LLC. She grad-
uated from the University of Utah in environmental risk management and then
received her MBA with two advanced certificates in finance and information tech-
nology from Westminster College. She is a two-time Spencer Education Founda-
tion Graduate Scholar from the Risk and Insurance Management Society, and has
published more than 25 articles and papers on topics relating to enterprise risk
management and board risk governance.
Note: The material contained in this chapter represents the views of the authors
and not necessarily those of the TD Bank Group.
www.it-ebooks.info

http://www.it-ebooks.info/

PART III
Linking ERM to Strategy and
Strategic Risk Management
www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 14
A Strategic Approach
to Enterprise Risk Management
at Zurich Insurance Group
LINDA CONRAD
Director of Strategic Business Risk at Zurich Insurance Group
KRISTINA NARVAEZ
President and Owner of ERM Strategies, LLC
This case study describes how the Zurich Insurance Group has implementedand evolved its enterprise risk management (ERM) approach for more than10 years across the globe. It describes how Zurich has organized its gov-
ernance structures and ERM champions to help integrate ERM into the business
model that focuses on promptly identifying, measuring, managing, monitoring,
and reporting risks that affect the achievement of strategic, operational, and finan-
cial objectives. This includes adjusting their risk profiles to be in line with Zurich’s
stated risk tolerance to respond to new threats and opportunities in order to opti-
mize returns.
ENTERPRISE RISK MANAGEMENT AT ZURICH
As a large global insurance carrier, Zurich Insurance Group has relied on its ERM
program for more than 10 years as a means to help Zurich remain profitable. With
over 60,000 employees around the world and serving customers in more than 170
countries and territories, Zurich is exposed to a wide range of risks from its cus-
tomers to its own operations. Yet Zurich recognizes that taking the right risks at the
right time is a necessary part of growing and protecting shareholder value. Nat-
urally, Zurich aims to capitalize on appropriate market opportunities that could
attract the best talent and investor capital. To achieve this, Zurich utilizes insight
from its ERM program to help balance growth opportunities with the reality that
it is operating in a complex world economy.
ERM not only is embedded in Zurich’s business, but is also aligned with its
strategic and operational planning and budgeting process. Zurich assesses risks
systematically and from a strategic perspective through its proprietary tools that
allow it to identify and then evaluate the probability of a risk scenario occurring,
253
www.it-ebooks.info

http://www.it-ebooks.info/

254 Implementing Enterprise Risk Management
as well as the severity of the consequence should it occur. Zurich then develops,
implements, and monitors appropriate improvement actions. Its ERM tools are
integral to how Zurich deals with change, by helping to evaluate strategic risks as
well as risks to its reputation. At the senior management level, the ERM process is
annually reviewed and tied to the strategic planning process, but is also embedded
in the ongoing business.
Listed here are Zurich’s major ERM objectives, and a tangible proof point:
� Protect the capital base by monitoring that risks are not taken beyond
Zurich’s risk tolerance.
� Enhance value creation and contribute to an optimal risk/return profile by
providing the basis for efficient capital deployment.
� Support Zurich’s decision-making processes by providing consistent, reli-
able, and timely risk information.
� Protect Zurich’s reputation and brand by promoting a sound culture of risk
awareness and disciplined and informed risk taking.
Tangible Results
By aligning ERM with its business strategy, Zurich has been able to use certain tools
to create new value to its organization in a variety of areas. Zurich’s ERM program
has sustained business growth throughout the recession, contributing to more than
40 consecutive quarters of growth. One way it added value through ERM was
when Zurich introduced an enhanced operational risk management framework.
One business unit reduced operational risk-based capital (RBC) consumption by
21.7 percent when Zurich moved from an asset-based to a risk-based approach for
operational risk quantification. Tools such as Total Risk Profiling (TRP, described
later in this chapter) and the business unit then identified high risk exposures, per-
formed a deeper assessment and developed mitigation measures, The business
unit experienced an additional reduction of 28.9 percent in operational risk cap-
ital consumption the following year. Operational risk capital not consumed was
then available to fund profitable growth for Zurich
Optimizing the Risk and Reward Balance at Zurich
To consistently achieve the right balance between risk and reward to optimize cap-
ital, many corporate leaders around the world have adopted ERM within their
organizations. Zurich has a well-established ERM program, which it sees as a crit-
ical component to its success. Zurich’s comprehensive ERM and risk tolerance
framework links risk taking, strategic planning, and operational planning with a
comprehensive risk limit system. It enables active risk-taking within a consistent
framework across the entire organization. It also allows for the flexibility to either
increase or limit risk levels as appropriate for specific applications, geographies,
or business units on a case-by-case basis, in accordance with Zurich’s risk policy.
Global businesses like Zurich are increasingly focused on the challenge of map-
ping and managing their risk profiles, looking beyond a single dimension to under-
stand the complex interactions between many different types of risks. Zurich’s risk
landscape outlines the number of risks, types of risks, and potential effects of those
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 255
risks to the organization. This outline supports each business unit within Zurich
as they strive to anticipate additional costs or disruption to its operations. Also, it
describes the willingness of Zurich to take risks and how those risks will affect the
operational strategy of the organization. Managing the vast scope of business expo-
sures and growth initiatives requires taking a broader view on risks from a strategic
perspective. In defining its desired risk profile, Zurich must determine which risks
will optimize its returns. Its ERM mission is to promptly identify, measure, man-
age, report, and monitor the risks that affect the achievement of its strategic goals.
Risk Culture at Zurich
The risk culture at Zurich could be defined as the individual and group behav-
ior within the organization that determines the way in which Zurich identifies,
understands, discusses, and acts on the organization’s risks and opportunities.
Embedding a positive risk culture is the responsibility of the Zurich leadership
team because it is critical to the effective management of the business.
The core characteristics expected from an effective risk culture include com-
mitted leadership, an effective governance structure with clear risk responsibilities
and timely escalation procedures, continuous and constructive challenges, active
learning from past mistakes, and incentives that reward consideration of risk
management objectives and risk appetite in the organization’s management of the
business.
Zurich recognizes the need to constantly improve on its ERM program. Senior
leadership also wishes to have an effective way of understanding and reporting on
the risk culture and framework of the company, both to support internal manage-
ment and oversight and to be able to report externally. In principle, the risk culture
should not be seen as something separate from the overall culture of the organi-
zation, and, for risk to be truly embedded, it should be regarded as one element,
albeit one that currently deserves specific attention.
ZURICH GROUP’S ENTERPRISE RISK
MANAGEMENT FRAMEWORK
At the heart of Zurich’s ERM framework is a governance process with clear respon-
sibilities for taking, managing, monitoring, and reporting risks. (See Exhibit 14.1.)
Zurich articulates the roles and responsibilities for risk management throughout
the organization, from the board of directors and the chief executive officer (CEO)
to its businesses and functional areas. In fact, each business and functional or
project team will have someone designated as a risk owner to be responsible for
identifying and addressing relevant risk exposures and to help embed ERM further
in the business unit and build a more open, positive risk culture.
One of the key elements of Zurich’s ERM framework is to foster transparency
by establishing risk reporting standards throughout the organization. Zurich reg-
ularly reports on its risk profile, current risk issues, adherence to its risk policies,
and improvement actions both at a local and on a senior management level. Zurich
has procedures in place for the timely referral of risk issues to senior management
and the board of directors. Various governance and control functions coordinate
www.it-ebooks.info

http://www.it-ebooks.info/

256 Implementing Enterprise Risk Management
Strategic
Risk Management
Risk Assessment
and Mitigation
Risk Quantification
Risk Transparency
Risk Governance and Risk Culture
Exhibit 14.1 Zurich Risk Management Framework
to help ensure that objectives are being achieved, risks are identified and appro-
priately managed, and internal controls are in place and operating effectively.
Risk Governance Approach at Zurich with Three Lines
of Defense
Zurich uses a “three lines of defense” model to help ensure governance and control.
(See Exhibit 14.2.) This model consists of the following:
1. The first line of defense in the business or functional areas involves the
employees making day-to-day business decisions like underwriting, man-
aging projects, developing information technology (IT) solutions, or man-
aging human capital issues.
2. The second line of defense is Group Risk Management, which oversees
the company’s efforts to apply appropriate risk identification and gover-
nance processes and provides tools and frameworks to manage decisions.
Group Risk Management also coordinates very closely with the Compli-
ance and Legal departments, Business Continuity Management, IT, Pro-
curement, and other areas, to encourage better coordination across various
silos to build an enterprise lens on risk management.
3. The third line of defense is the independent internal audit function, which is
responsible for verifying the functionality of the ERM and internal controls
framework.
To support the governance process, Zurich relies on documented policies
and guidelines. The Zurich Risk Policy is its risk governance document; it spec-
ifies Zurich’s risk tolerance, risk limits and authorities, reporting requirements,
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 257
Board of Directors
Risk Committee
Group Chief Risk OfficerCEO and Group Executive Committee
Group Balance Sheet Committee Group Finance and Risk Committee
Group
Audit
Audit, Risk, and Control Committees
Business
Management
Risk Taking
The overview above highlights only key elements of the governance framework that apply to risk management;
R
eg
io
n,
S
eg
m
en
t,
D
iv
is
io
n,
B
us
in
es
s
U
ni
t l
ev
el
G
ro
up
E
xe
cu
tiv
e
le
ve
l
B
oa
rd
o
f
D
ire
ct
or
s
le
ve
l
Risk Control Independent Assurance
Risk Management Network
(including regional/segment/division Chief Risk Officers
and Local Risk Officers)
Audit Committee
Exhibit 14.2 Zurich Risk Governance Overview
procedures to approve any exceptions, and procedures for referring risk issues to
senior management and the board of directors. The limits are specified per risk
type, reflecting the willingness and ability to take risks, considering issues such
as earnings stability, economic capital adequacy, financial flexibility and liquidity,
franchise value, and reputation. Zurich’s strategic direction and operational plan
seeks to achieve a reasonable balance between risk and return, and to be aligned
with economic and financial objectives.
An important element of Zurich’s ERM framework is a well-balanced and
effectively managed remuneration program. This includes a groupwide remunera-
tion philosophy and robust short- and long-term incentive plans, with strong gov-
ernance and links to the business planning, performance management, and risk
policies. Based on Zurich’s Risk Policy, the board establishes the structure and
design of the remuneration arrangements so that they do not encourage inappro-
priate risk taking.
As an ongoing process, adherence to requirements stated in the Zurich Risk
Policy is assessed. Zurich regularly enhances its Risk Policy to reflect new insights
and changes in the environment and to reflect changes to the risk tolerance. For
example, the Zurich Risk Policy was recently updated and strengthened for vari-
ous areas, including actuarial reserving in General Insurance, reinsurance, receiv-
ables, operational risk management, and particularly outsourcing and business
continuity management. Related procedures and risk controls were also strength-
ened or clarified for these areas.
www.it-ebooks.info

http://www.it-ebooks.info/

258 Implementing Enterprise Risk Management
Coordinate risk identification, risk
assessment, and financial quantification
of risk to achieve a holistic view of the
organization’s risks. Group Risk
Management
Group
Audit
Group
Compliance
Facilitate alignment of
assurance methodology and
assurance coverage (including
raising any gaps in assurance
coverage). Includes
assurance work of Group
Audit, Group Compliance,
External Audit, Technical
Underwriting, and Claims QA.
Responsible for coordinating
assurance reporting.
Responsible for coordinating risk
reporting.
The resultant risk landscape will inform
the risk-based assurance activities of the
other functions.
Specialist function that
contributes insights
regarding compliance
matters.
Coordinates with other
assurance functions in the
discharge of its mandate.
Group Compliance
Group Risk Management
Group Audit







Exhibit 14.3 Zurich’s Core Assessment and Assurance Functions
Integrated Assessment and Assurance
Integrated Assessment and Assurance (IAA) is a coordinated view from the Assur-
ance functions to provide greater confidence that risks are identified, those risks
are appropriately managed, and mitigation actions are implemented and controls
are operating effectively. The Assessment and Assurance functions include Group
Risk Management, Group Compliance, and Group Audit. (See Exhibit 14.3.) Close
coordination is also maintained with Group Legal, External Audit, and manage-
ment’s review functions such as underwriting or claims reviews and actuarial peer
reviews.
Internal Control Framework
Swiss law prescribes the existence of an Internal Control System (OR 728a) to all
“listed companies” and “companies of economic significance.” Zurich Insurance
Group was one of the early firms to pioneer the industry with the establishment of
its internal control system in 2004. The framework is of core importance in ensuring
that company objectives are adhered to and that risks are controlled. The board of
directors wants to have positive assurance that an effective internal control system
is embedded in the business processes.
Zurich’s Internal Control Framework (ICF) provides to the board the requested
global overview of the risks in each business unit and how they are controlled.
The evidence of these controls and its documentation serve as proof of the ICF’s
existence for regulatory and auditing purposes. Zurich’s three lines of defense help
ensure that the Internal Control Framework is enabled.
ROLE OF THE CHIEF RISK OFFICER AND GROUP
RISK MANAGEMENT AT ZURICH
Zurich’s chief risk officer (CRO) consults with the other assurance, control, and
governance functions to provide the chief executive officer (CEO) with a review of
risk factors to consider in the annual process to determine variable compensation.
The CRO leads the Group Risk Management function, which develops methods
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 259
and processes for identifying, measuring, managing, monitoring, and reporting
risks throughout Zurich. The CRO is responsible for the oversight of risks across
Zurich and regularly reports risk matters to the CEO, senior management commit-
tee, and the Risk Committee of the board.
The Group Risk Management organization at Zurich consists of central func-
tions at the Corporate Center and a decentralized risk management network at all
the segment, regional, business unit, and functional levels. At the Group level there
are two centers of expertise: risk analytics and risk and control. The Risk Analyt-
ics department quantitatively assesses insurance, financial market, asset/liability,
credit, and operational risks, and is Zurich’s center of excellence for risk quantifica-
tion and risk modeling. The Risk and Control department includes operational risk
management, internal control framework, risk reporting, risk governance, and risk
operations. Group Risk Management proposes changes to the risk management
framework and Zurich’s risk policies; it makes recommendations on the organiza-
tion’s risk tolerance and assesses the risk profile.
The risk management network consists of the chief risk officers (CROs) of the
Group’s segments and regions, and the local risk officers (LROs) of the business
units and functions and their staff. While their primary focus is on operational and
business-related risks, they are also responsible for providing a holistic view of all
risks for their areas. The risk officers are part of the management teams in their
respective businesses and therefore are embedded in the business units. The LROs
also report to the segment or regional CROs, who in turn report to the Group’s
chief risk officer. The CROs of the Group’s segments and regions are members of
the leadership team of the Group’s chief risk officer.
In addition to the risk management network, Zurich has audit and/or over-
sight committees at the major business and regional levels. These committees are
responsible for providing oversight of the risk management and control functions.
This includes monitoring adherence to policies and periodic risk reporting. At the
local level, these oversight activities are conducted through risk and control com-
mittees or quarterly meetings between senior executives and the local heads of
governance functions.
In 2012, Zurich strengthened the process through which the assurance, control,
and governance functions provide risk and compliance information about each
business unit as part of the annual individual performance assessment. Through
these processes, Zurich encourages a culture of disciplined risk taking across the
organization. It continues to consciously take carefully selected risks for which it
expects an adequate return.
Board-Level Risk Committee and Executive Risk
Committee Responsibilities
The board of directors of Zurich Insurance Group has ultimate oversight responsi-
bility for Zurich’s risk management program. The board approved the guidelines
for the Group’s risk management framework and key principles, particularly as
articulated in the Zurich Risk Policy, and decides on changes to such guidelines
and key principles, as well as transactions reaching specified thresholds.
The Risk Committee of the board serves as a focal point for oversight regarding
Zurich’s risk management. In particular its risk tolerance, including agreed limits
that the board regards as acceptable for Zurich to bear, the aggregation of these
www.it-ebooks.info

http://www.it-ebooks.info/

260 Implementing Enterprise Risk Management
limits across the entire organization, the measurement of adherence to risk limits,
and its risk tolerance in relation to anticipated capital levels. The Risk Committee
further oversees the organization-wide risk governance framework, including risk
management and control, risk policies and their implementation, as well as risk
strategy and the monitoring of operational risks.
The Risk Committee also reviews the methodologies for risk measurement
and its adherence to risk limits. The Risk Committee further reviews, with business
management and Zurich’s Risk Management functions, its general policies and
procedures and satisfies itself that effective systems of risk management are estab-
lished and maintained. It receives regular reports from Zurich’s Risk Management
Group and assesses whether significant issues of a risk management and control
nature are being appropriately addressed by management in a timely manner.
The Risk Committee assesses the independence and objectivity of Zurich’s Risk
Management functions; approves its terms of reference; reviews the activities,
plans, organization, and quality of the function; and reviews key risk management
principles and procedures. To facilitate information exchange between the Audit
Committee of the board and the Risk Committee of the board, at least one board
member is a member of both committees. The Risk Committee generally meets
seven times per year, including once jointly with the Remuneration Committee.
Zurich’s Executive Risk Committee, which consists of the CEO together with
the Group Executive Committee (GEC), oversees the Group’s performance with
regard to risk management and control, strategic, financial, and business policy
issues of organization-wide relevance. This includes monitoring adherence to and
further development of the Group’s risk management policies and procedures. The
Group Balance Sheet Committee and the Group Finance and Risk Committee reg-
ularly review and make recommendations on the Group’s risk profile and signifi-
cant risk-related issues.
The chief risk officer is a member of the GEC and reports directly to the CEO
and the Risk Committee of the board. The CRO is a member of each of the man-
agement committees listed below, in order to provide a common and integrated
approach to risk management, to allow for appropriate quantification and, where
necessary, mitigation of risks identified in these committees.
Emerging Risk Group
Zurich’s Emerging Risk Group (ERG) seeks to preempt potential downsides of
emerging risk and help its employees and customers understand and address
them. The ERG looks to serve customers and society and build business oppor-
tunities to increase, not exclude, insurability of emerging risks. The ERG’s remit
is to respond to emerging risk threats and opportunities with strategies that help
customers understand and protect themselves from risk and that drive profitable
underwriting results.
The Zurich Emerging Risk Radar shows potential risks and opportunities that
the ERG has currently identified. The online, internal version of Zurich Risk Radar
is interactive, and one can roll the cursor over each threat to see a description of a
risk and its potential harm—and each risk is classified by its primary scope (Science
and Technology, Regulatory, Environmental, Social, or Legal), as well as the time
over which the risk will potentially emerge (zero to three years, three to five years,
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 261
five or more years), plus its potential impact on Group earnings. (See Exhibit 14.4
for a public version.)
WORKING WITH EXTERNAL STAKEHOLDERS
Various external stakeholders, among them regulators, rating agencies, investors,
and accounting bodies, have placed emphasis on the importance of a sound risk
management program in the insurance industry. Regulatory requirements, such as
the Swiss Solvency Test in Switzerland and the regulatory principles of Solvency
III in the European Union, have emphasized a risk-based and economic approach,
based on comprehensive quantitative and qualitative assessments and reports.
Rating agencies are now interested in enterprise risk management as a factor in
evaluating companies’ creditworthiness. Standard & Poor’s, a rating agency with a
separate rating for ERM, has rated Zurich’s overall ERM as “strong.” Reinsurance
and credit risk controls remain “excellent.” Market, asset/liability management
(ALM), reserving, catastrophe, and operational risk controls, as well as strategic
and emerging risk management, are seen as “strong.” Zurich is rated either “excel-
lent” or “strong” in all of the Standard & Poor’s dimensions for ERM.
Zurich also seeks external expertise from its International Advisory Council
and Natural Catastrophe Advisory Council to better understand and assess risks,
particularly regarding areas of complex change. In addition, the Investment
Management Advisory Council provides feedback to Investment Management
on achieving superior risk-adjusted returns versus liabilities for the Group’s
invested assets. Zurich also organizes various regional Risk Management Coun-
cils comprised of key customers, which engage to help identify and address issues
together.
Zurich is involved in a number of international industry organizations
engaged in advancing the regulatory dialogue and sound risk management prac-
tices pertaining to the insurance industry. It is also a standing member of and
actively contributes to the Emerging Risk Initiative of the CRO Forum (an organiza-
tion composed of the chief risk officers of major insurance companies and financial
conglomerates that focuses on developing and promoting industry best practices
in risk management).
Zurich actively participates in professional risk management bodies such as
the Risk and Insurance Management Society (RIMS), the Institute of Risk Manage-
ment (IRM), the Federation of European Risk Management Association (FERMA),
and the Association of Insurance and Risk Managers in Industry and Commerce.
For example, Zurich’s staff serves on the RIMS ERM Committee and on the global
Education Advisory Board of the IRM. It is also involved in various working
groups in the Conference Board, supports the Red Cross in crisis recovery, and
collaborates with other entities to help promote better risk identification, assess-
ment, prevention, and mitigation.
Zurich is a main contributor to the Global Risk Report that is produced by
the World Economic Forum in cooperation with other corporations (Swiss Re,
Marsh & McLennan Companies, the Oxford Martin School [University of Oxford],
the National University of Singapore, and the Wharton Risk Management and
Decision Processes Center [University of Pennsylvania Center for Risk Manage-
ment] [www.weforum.org/reports/global-risks-2012-seventhninth-edition]).The
www.it-ebooks.info

http://www.weforum.org/reports/global-risks-2012-seventhninth-edition

http://www.it-ebooks.info/

B
ro
ad
im
pl
ic
at
io
ns
o
f U
S

C
ar
e
R
ef
or
m

R
at
in
g
to
ol

re
st
ri
ct
io
ns
Lo
w
c
ar
bo
n
ec
on
om
y
W
at
er
s
ho
rt
ag
e
G
eo
en
gi
ne
er
in
g
(o
r
cl
im
at
e
en
gi
ne
er
in
g)
W
at
er
q
ua
lit
y
Th
re
at
to
b
ee

po
pu
la
tio
n
O
be
si
ty
A
gi
ng
w
or
kf
or
ce
Lo
ng
ev
ity

fin
an
ci
al

pr
od
uc
ts
S
oc
ia
l
m
ed
ia
S
hi
ft
a
nd

ir
re
gu
la
r
w
or
ki
ng
D
ig
ita
l
m
is
in
fo
rm
at
io
n
B
an
ks
, B
as
el
II
,
S
ol
ve
nc
y
II,
r
eg
ul
at
io
n
Fo
od
in
fla
tio
n
G
am
in
g
in
du
st
ry
X
en
o
tr
an
sp
la
nt
at
io
n
S
yn
th
et
ic

bi
ol
og
y
C
os
m
ec
eu
tic
al
s
G
lo
ba
l s
up
pl
y
ch
ai
ns
A
bu
si
ve
c
la
ss

ac
tio
ns
/
C
ol
le
ct
iv
e
re
dr
es
s
fr
om

no
n
U
S
C
el
l m
ut
at
io
n
M
ot
or
/L
ia
bi
lit
y
le
ga
l
co
nv
er
ge
nc
e
E
le
ct
ro
m
ag
ne
tic

fie
ld
s
M
an
-m
ad
e
E
QP
er
va
si
ve

co
m
pu
tin
g
S
pa
ce
w
ea
th
er
U
nc
on
ve
nt
io
na
l
so
ur
ce
s
fo
r
fo
ss
il
fu
el
s
C
og
ni
tiv
e
co
m
pu
tin
g
/ d
ri
ve
rl
es
s
ca
rs
V
ir
tu
al

re
al
ity
a
nd

cu
rr
en
cy
S
ec
ur
ity
o
f p
ow
er
su
pp
ly
G
en
et
ic
te
st
in
g
an
d
pr
ed
is
po
si
tio
n
N
an
ot
ec
hn
ol
og
y
G
re
en

pr
od
uc
ts
A
sb
es
to
s
re
pl
ac
em
en
t
pr
od
uc
ts
E
nd
oc
ri
ne

di
sr
up
to
rs
A
nt
ib
io
tic
r
es
is
ta
nt

ba
ct
er
ia

In
te
rn
et
o
f t
hi
ng
s
E
le
ct
ri
c
ve
hi
cl
e
m
an
uf
ac
tu
ri
ng
A
gi
ng
in
fr
as
tr
uc
tu
re
Tr
an
sp
or
ta
tio
n
in

21
st
c
en
tu
ry
S
ha
ri
ng

ec
on
om
y
Q
ua
nt
ifi
ed
s
el
f
G
lo
ba
liz
at
io
n
an
d
th
e
ill
ic
it
ec
on
om
y
E
-C
ig
ar
et
te
s
K
ey
L
o
w
p
ro
b
ab
ili
ty
M
ed
iu
m
p
ro
b
ab
ili
ty
H
ig
h
p
ro
b
ab
ili
ty
L
o
w
im
p
ac
t
M
ed
iu
m
im
p
ac
t
H
ig
h
im
p
ac
t
E
xh
ib
it
14
.4
Z
ur
ic
h
R
is
k
R
ad
ar
262
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 263
report’s assessment of the most pressing global risks and the interconnections
among them provides valuable information for risk mitigation worldwide. Sup-
porting the report is also part of the Group’s commitment to corporate responsi-
bility by sharing Zurich’s expertise to help businesses, nations, and society.
ZURICH’S PROPRIETARY TOOLS USED IN
ERM FRAMEWORK
Zurich uses a variety of methodologies and tools to manage its business risk,
with the following aims. More information on Zurich’s Strategic Risk Management
work can be found at www.zuricherm.com.
� Understand issues in enterprise strategy, resilience, supply chain, and busi-
ness continuity.
� Identify scenarios that could—or should—be built into a strategic and/or
operational resilience plan.
� Develop action points and risk responsibilities to help protect profitability.
Total Risk Profiling Tool
One of Zurich’s key proprietary tools is called Total Risk Profiling (TRP); it
is a workshop-based approach where a facilitator-led team develops a risk
profile by determining relative ratings in probability and severity (likelihood
and impact) for potential risk scenarios. (See Exhibit 14.5.) TRP is a structured
approach to identifying, assessing, and monitoring holistic risks and improvement
Vulnerability identification
and assessment
Vulnerability
catalog
Risk profile Risk improvement
catalog
Risk mapping/Risk
tolerance boundary
Risk reduction/Risk
improvement advice
Develop risk scenarios, quantify
financial severity, and assess probability
1. Vulnerability A
B
C
D
E
P
ro
ba
bi
lit
y 1
42
3
IIIII
Severity
IV I
6
5
F
2. Trigger
3. Consequences
what?
where?
control?



how?
why?
when?



how big?
why bad?
when much?



Define the risk appetite, prioritize risk
scenarios, and deliver improvement plan
Prioritized
Exhibit 14.5 Zurich Total Risk Profiling Tool
www.it-ebooks.info

http://www.zuricherm.com

http://www.it-ebooks.info/

264 Implementing Enterprise Risk Management
actions needed. By embedding its Total Risk Profiling methodology into its risk
culture, this has helped ensure its risk management culture is consistent and effec-
tive across its various business units. It uses these risk scenarios to define the
underlying issues and break them into components of vulnerability, trigger, and
consequences. The TRP tool can also help a business unit define and quantify
its risk tolerance limit. A short video explains more about Total Risk Profiling
(http://zdownload.zurich.com/zna/TotalRiskProfiling.html).
A risk tolerance limit is defined as part of the risk appetite, and action plans
are developed to improve the prioritized risks and bring them within the busi-
ness unit’s tolerance for risk. The structure of the TRP risk identification process
provides a sound basis for detailed quantification of more complex risks. TRP has
helped Zurich’s business units set the agenda for internal audit or enterprise risk
management to monitor risks at or just below the risk tolerance boundary.
By being able to define multiple risk triggers with different potential conse-
quences, the TRP tool has helped Zurich to identify the true drivers of risk by
undertaking various stress tests or even to define new risk exposures. A facilitator-
led team develops a relative rating for each risk scenario, often without a prede-
fined scale of impact and likelihood, to improve the business unit’s understanding
of the risk.
Another main aim of the flexible TRP tool is to help embed a risk culture that
will sustain shareholder value through better enterprise risk management prac-
tices and strategic planning processes. Zurich performs nearly 200 TRP workshops
per year, ranging from assessing strategy execution, project management, human
resources (HR), mergers and acquisitions (M&A), or business interruption (BI)
exposures to new product development. In fact, completion of a TRP is a requi-
site part of the submission for a project budget or operational plan. The TRP tool
helps to enable the following:
� Assessment of current and emerging risks to business resilience and prof-
itability
� Alignment of business strategy with key performance indicators
� Communication of board discussion on risk appetite to investors and other
stakeholders
� Reviewing the environmental scanning tool for corporate or competitive
business strategy development
� Embedding of ERM in the strategic planning process
� Product launches, acquisitions or divestitures, and project management
� Considering the vulnerabilities in the supply chain
� Evaluation of business interruption risk scenarios
� Testing of existing strategies in the context of unrealized/underrealized
risks and opportunities
� Use in the objective-setting stage of the business cycle to determine the
budget
Zurich Hazard Analysis Tool
The Zurich Hazard Analysis is a powerful methodology to systematically identify,
address, and manage various types of hazards or vulnerabilities and to address
www.it-ebooks.info

http://zdownload.zurich.com/zna/TotalRiskProfiling.html

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 265
and manage the corresponding risks. The methodology is closely related to Total
Risk Profiling, and is helpful in defining “pathways” of risks. Zurich has been suc-
cessfully applying and using it within its operations and with customers for over
20 years in various industries, commercial enterprises, and, more recently, in the
financial services industry, as well as public entities.
Zurich’s Risk Room
Another of Zurich’s proprietary tools, called the Zurich Risk Room, helps the orga-
nization and its customers to systematically explore major global risks, investigat-
ing how they are expressed on a country-by-country basis. (See Exhibit 14.6.) It
shows on a 3-D screen how risks and geographies combine (sometimes unexpect-
edly) to be relevant to Zurich’s business concerns. This tool allows one to see which
countries reflect similar profiles, and which risks begin to stand out on mapping
various risk correlations. By working across different types of risks, risk correla-
tions are identified that illustrate whether relevant risk connections exist and which
ones are the strongest.
The Zurich Risk Room creates a statistical, fact-based assessment of global
threats as they relate to business planning and implementation. Its output can com-
plement departmental, regional, or consultant-based research and data, provid-
ing an additional objective lens to risk evaluation and reducing the issues related
to silo-based risk assessments. Using a consistent global framework, the Zurich
Risk Room can help identify threats that may cross boundaries and provide key
decision makers with relevant risk information that can help them make more
informed business decisions, even if they are not experts in risk analysis.
Exhibit 14.6 Zurich’s Risk Room
www.it-ebooks.info

http://www.it-ebooks.info/

266 Implementing Enterprise Risk Management
By examining risks and interconnections in detail, Zurich is able to compare
both individual issues and overall country risk characteristics of one country to
those of another. This allows Zurich to see whether a country’s risk profile is
unique or it shares similarities with other countries. For international businesses, it
is vital to form a picture of where operations and investments are vulnerable and
where these vulnerabilities may reside. Zurich is then able to identify how risks
are bundled, or where a threat in one area might cascade to another.
A demo version of the Zurich Risk Room software for an iPad or Android
tablet can be downloaded by searching for Zurich Risk Room in iTunes or Google
Play. In addition, this is a link to a short video that will give a brief overview of the
Zurich Risk Room application: www.youtube.com/watch?v=_UMaYJtDu6Q.
CATEGORIZING VARIOUS RISKS AT ZURICH
In order to enable a consistent, systematic, and disciplined approach to ERM,
Zurich categorizes its main risks. (See Exhibit 14.7.) This grouping assists Zurich
in monitoring any aggregation of exposures that may be accumulating across the
enterprise and could, therefore, have a greater impact on the company.
PEOPLE RISKS
Accident/ Health
Labor/Key employees
Recruiting and retention
Corporate governance
Knowledge management
RISK MONITORING
AND REPORTING
RISK TREATMENT
AND CONTROLLING
RISK AWARENESS
AND CULTURE
RISK AND
OPPORTUNITY
IDENTIFICATION
RISK ASSESSMENT
AND
QUANTIFICATION
STRATEGIC RISKS
Joint ventures and
subsidiaries
Product development
Mergers and acquisitions
Reputation
Intellectual property
Management skills
Legal and compliance
risks
OPERATIONAL RISKS
Sabotage Machinery breakdown
Transportation Fire/Explosion
Product liability Pollution
e-risk Interdependency
Earthquake Business interruption
Storm Bottleneck supplier
Flood
MARKET RISKS
Geographical spread
Patent infringement
Competitors
Trade barriers
Market share
FINANCIAL RISKS
Stock Exchange
Capital Markets
Liquidity
Fraud
Debtors/Creditors
Currency fluctuation K
E
E
P
IN
G
Y
O
U
IN
B
U
S
IN
E
S
S
U
N
D
E
R
S
TA
N
D
IN
G
Y
O
U
R
B
U
S
IN
E
S
S
UNDERSTANDING RISK ACROSS YOUR BUSINESS
Exhibit 14.7 Categorizing Various Risks at Zurich
www.it-ebooks.info

http://www.youtube.com/watch?v=_UMaYJtDu6Q

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 267
Strategic Risks
Strategic risks are the unintended risks that can result as a by-product of planning
or executing a strategy. For example, they can arise from the following:
� Inadequate assessment of strategic plans
� Improper implementation of strategic plans
� Unexpected changes to assumptions underlying plans
Risk considerations are a key element in the strategic decision-making process.
The senior leadership team assesses the implications of strategic decisions on risk-
based return measures and risk-based capital in order to optimize the risk/return
profile and to take advantage of economically profitable growth opportunities as
they arise.
Zurich works on reducing the unintended risks of strategic business decisions
through its risk assessment processes and tools. The Group Executive Committee
regularly assesses key strategic risk scenarios for the Group as a whole, including
scenarios for emerging risks and their strategic implications.
An example of this is when Zurich evaluates the risks of mergers and acqui-
sitions (M&A) transactions from both a quantitative and a qualitative perspective.
Zurich conducts risk assessments of M&A transactions to evaluate risk, especially
related to the integration of acquired businesses, to help increase the likelihood of
successfully attaining the expected benefits. They may also review country-level
exposures using the Zurich Risk Room tool.
Insurance Risks
Insurance risk is the inherent uncertainty regarding the occurrence, amount,
and timing of insurance liabilities. The exposure is usually transferred to Zurich
through the underwriting process. Zurich assumes certain customer risks and aims
to manage that transfer of risk and to minimize unintended underwriting risks
through the following:
� Establishing limits for underwriting authority
� Requiring specific approvals for transactions involving new products or
where established limits of size and complexity may be exceeded
� Using a variety of reserving and modeling techniques to address the various
insurance risks inherent in the insurance business
� Ceding insurance risks through proportional, nonproportional, and specific
risk reinsurance treaties
Market Risks
Market risks can be associated with the Group’s balance sheet positions where the
value or cash flow depends on financial markets. Fluctuating risk drivers resulting
in market risk may include:
� Equity market prices
� Real estate market prices
www.it-ebooks.info

http://www.it-ebooks.info/

268 Implementing Enterprise Risk Management
� Interest rates and credit spreads
� Currency exchange rates
Zurich has policies and limits to manage market risk. Zurich aligns its strategy
asset allocation to its risk-taking capacity. The Group centralizes the management
of certain asset classes to help control aggregation of risk, and provides a consistent
approach to constructing portfolios and selecting external asset managers. Zurich
also diversifies portfolios, investments, and asset managers. It regularly measures
and manages market risk exposure. Zurich has established limits on concentration
in investments by single issuers and certain asset classes, as well as deviations of
asset interest rate sensitivities from liability interest rate sensitivities, and also has
limits on investments that are illiquid.
Credit Risks
Credit risks are associated with a loss or potential loss from counterparties failing
to fulfill their financial obligations. Zurich’s exposure to credit risks may be derived
from the following main categories of assets:
� Cash and cash equivalents
� Debt securities
� Reinsurance assets
� Mortgage loans and mortgage loans given as collateral
� Other loans
� Receivables
� Derivatives
Zurich strives to manage individual exposures as well as credit risk concentra-
tions. Its objective in managing credit risks is to maintain them within parameters
that reflect its strategic objectives and risk tolerance. Sources of credit risks are
assessed and monitored, and Zurich has policies to manage special risks within
various subcategories of credit risk. To assess counterparty credit risk, Zurich uses
the rating assigned by external rating agencies, qualified third parties such as asset
managers, and internal rating assessments. When there is a difference among exter-
nal rating agencies, Zurich assesses the reason for the inconsistencies and applies
the lowest of the respective ratings unless other indicators of credit quality justify
the assignment of alternative internal credit ratings. Zurich maintains counterparty
credit risk databases that record external and internal sources of credit intelligence.
Liquidity Risks
Risks that Zurich may not have sufficient liquidity to meet its obligations when
they fall due, or would have to incur excessive costs to do so, are categorized as
liquidity risks. Zurich’s policy is to maintain adequate liquidity and contingent
liquidity to meet its liquidity needs under both normal and stressed conditions.
Zurich has groupwide liquidity management policies and specific guidelines
as to how local businesses have to plan, manage, and report their local liquidity.
These include regularly conducting stress tests for all major carriers within Zurich.
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 269
The stress tests use a standardized set of internally defined stress events and are
designed to provide an overview of the potential liquidity drain that Zurich would
face if it had to recapitalize local balance sheets.
Operational Risks
Operational risks can be associated with Zurich’s people, processes, and sys-
tems, and external events such as outsourcing, catastrophes, legislation, or external
fraud. Zurich has a comprehensive framework with a common approach to iden-
tify, assess, quantify, mitigate, monitor, and report operational risks within the
scenario-based assessments, internal controls evaluations, and loss event data.
In the area of information security, Zurich continues to focus on its global
improvement program with special emphasis on protecting customer information,
improving security with its suppliers, and monitoring that access to information
is properly controlled. This helps Zurich better protect information assets and
ensure greater alignment with regulation and policies. A key consideration is
maintaining and developing the capability of Zurich’s business continuity with
an emphasis on recovery from possible risk events such as natural catastrophe
or pandemic. Zurich continues to develop its existing business continuity capa-
bility by further implementing a more globally consistent approach to business
continuity and crisis management.
Focusing on the risk of claims fraud and nonclaims fraud continues to be of
great importance to Zurich. Zurich continues its global antifraud initiative to fur-
ther improve Zurich’s ability to prevent, detect, and respond to fraud. While claims
fraud is calculated as part of insurance risk and nonclaims fraud is calculated as
part of operational risk for risk-based capital, both are part of the common frame-
work for assessing and managing operational risks. Zurich considers risk controls
to be key instruments for monitoring and managing operational risks. The opera-
tional effectiveness of key controls is assessed by self-assessments and independent
testing of controls supporting the financial statements.
Reputation Risks
Reputation risks are risks that might arise from an act or omission by Zurich or any
of its employees that could result in damage to the Group’s reputation or loss of
trust among its stakeholders. Every risk type could have potential consequences for
Zurich’s reputation, and therefore effectively managing its exposures holistically
and systematically helps Zurich reduce threats to its reputation.
CAPITAL MANAGEMENT
Capital and solvency are managed through an integrated and comprehensive
framework of principles and governance structures as well as methodology, mon-
itoring, and reporting processes. The capital management process is illustrated in
Exhibit 14.8. At the group executive level, the Group Balance Sheet Committee
defines the capital management strategy and sets the principles, standards, and
policies for the execution of the strategy. Group Treasury and Capital Manage-
ment are responsible for the execution of the capital management strategy within
the mandate set by the Group Balance Sheet Committee.
www.it-ebooks.info

http://www.it-ebooks.info/

270 Implementing Enterprise Risk Management
Zurich’s capital
management strategy
Economic
Capital Adequacy Capital Management
Program
Regulatory
Capital Adequacy
Insurance Financial
Strength Rating
Governance and principles
Methodology, monitoring, and reporting
• Dividends
• Share buy-back
• Share Issuances
• Senior and hybrid debt
• Reinsurance
• Securitization
Exhibit 14.8 Zurich’s Capital Management Strategy
Within these defined principles, the group manages its capital using a number
of different capital models, taking into account regulatory, economic, and rating
agency constraints. The capital and solvency position is monitored and reported on
a regular basis. Based on the results of the capital models and the defined standards
and principles, Group Treasury and Capital Management has a set of measures
and tools available to manage capital within the defined constraints. This tool set
is referred to as the Capital Management Program.
The Capital Management Program comprises various measures to optimize
shareholders’ return and to meet capital needs, while enabling Zurich to take
advantage of growth opportunities as they arise. Such measures are used as and
when required and could include efficient balance sheet structuring as well as cash
dividends, share buy-backs, special dividends, issuances of shares or senior and
subordinated debt, and purchase of reinsurance.
The group seeks to maintain the balance between higher returns for sharehold-
ers on equity raised, which may be possible with higher levels of borrowing, and
the security provided by a sound capital position. The payment of dividends, share
buy-backs, and issuances and redemption of debt can have an important influence
on Zurich’s capital levels.
Zurich Economic Capital Model
In addition to a qualitative approach to measuring risks, Zurich regularly mea-
sures and quantifies material risks to which it is exposed through both TRP and
the Zurich Economic Capital Model (Z-ECM). This model provides a key input
into the strategic planning process, as it allows an assessment as to whether its risk
profile is in line with its risk tolerance level. In particular, Z-ECM forms the basis
for optimizing Zurich’s risk/return profile by providing consistent risk measure-
ment across the Group.
Zurich uses Z-ECM to assess the economic capital consumption of its busi-
ness with a balance sheet approach. Under the balance sheet approach one looks
at the change in stockholders’ or owners’ equity to determine the amount of
net income during the period between balance sheets. The Z-ECM framework is
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 271
embedded in Zurich’s risk culture and plays a critical role in decision making, and
is used in capital allocation, business performance management, pricing, reinsur-
ance purchasing, transaction evaluation, and risk optimization, as well as regu-
latory, investor, and rating agency communication. Z-ECM quantifies the capital
required for insurance-related risk (including premium and reserve, natural catas-
trophe, business, and life insurance), market risk (market/ALM [asset/liability
management]), credit risk (including reinsurance credit and investment credit),
and operational risks.
At the Group level, Zurich compares Z-ECM capital required to the Z-ECM
available financial resources (Z-ECM AFR) to derive an economic solvency ratio
(Z-ECM ratio). Z-ECM AFR reflects financial resources available to cover poli-
cyholder liabilities in excess of their expected value. It is derived by adjusting
the International Financial Reporting Standards (IFRS) shareholders’ equity to
reflect the full economic capital base available to absorb any unexpected volatil-
ity in Zurich’s business activities. As part of Z-ECM, Zurich uses a scenario-based
approach to assess, model, and quantify the capital required for operational risk
for business units under extreme circumstances and a very small probability of
occurrence (internal model calibrated to a confidence level of 99.95 percent over a
one-year time horizon).
Analysis of Capital Adequacy
Zurich maintains interactive relationships with three global rating agencies: Stan-
dard & Poor’s, Moody’s, and A.M. Best. The Insurance Financial Strength Rating
(IFSR) of Zurich’s main operating entity is an important element of its competi-
tive position. Moreover, Zurich’s credit ratings that are derived from its financial
strength rating do, in fact, affect its cost of capital, just like any other credit-rated
company.
In each country in which Zurich operates, the local regulator specifies the min-
imum amount and type of capital that each of the regulated entities must hold in
relation to its liabilities. In addition to maintaining the minimum capital required to
comply with the solvency requirements, Zurich targets holding an adequate buffer
of capital reserves to ensure that each of its regulated subsidiaries meets the local
capital requirements. Zurich is subject to different capital requirements depending
on the country in which it operates. The main areas are Switzerland and European
Economic Area countries, and the United States.
Since January 1, 2011, the Swiss Solvency Test (SST) capital requirements are
binding in Switzerland. The Group uses an adaptation of its internal Risk-Based
Capital (RBC) model to comply with the SST requirements and runs a full SST cal-
culation twice a year. The model is still subject to Swiss Financial Market Supervi-
sory Authority (FINMA) approval.
ZURICH’S BUSINESS RESILIENCE TOOLS
Business resilience management helps provide Zurich with the structure for deal-
ing with risks systematically, holistically, and successfully. Zurich’s Business
Resilience program is supported by an enterprise risk management framework
that identifies particular events or circumstances relevant to its business objectives,
www.it-ebooks.info

http://www.it-ebooks.info/

272 Implementing Enterprise Risk Management
Profitable Growth
Business Resilience
Total Risk Profiling
Enterprise Risk Management
Business
Interruption
Modeling
Supply
Chain
Assessment
Business
Continuity
Management
Business
Impact
Analysis
Exhibit 14.9 Zurich’s Business Resilience Program
assesses them in terms of likelihood and magnitude of impact, and then deter-
mines a response strategy. (See Exhibit 14.9.) A resilient enterprise is better able
to anticipate surprises, recover more quickly from disruptions, adapt to changing
conditions, and leverage emerging opportunities.
The objective of Zurich’s Business Resilience program is “Prepared, Informed,
and Resilient.” This tagline is regularly communicated to staff, especially dur-
ing Business Resilience Awareness week. Some of Zurich’s proprietary Business
Resilience tools are listed here.
Business Interruption Modeling allows Zurich the capability to better man-
age its risks based on an in-depth understanding of the value chain, with a main
focus on the business critical value flow, followed by identification, assessment,
and quantification of business interruption exposures and optional mitigations.
Like all organizations, a business interruption for Zurich could have the poten-
tial to inhibit productivity and could have multiple negative impacts on its orga-
nization. Some examples of business interruption impacts could include loss of
customers, diminished customer service, legal and/or regulatory issues, lower
employee morale, and even delays in projects, products, or other strategic growth.
Thus, it is essential that organizations try to map and quantify how they serve cus-
tomers, in order to proactively protect where they generate value.
Key stages of Business Interruption Modeling include:
� Defining scope by identifying the business-critical part(s) of the value chain
� Building an interdependency framework of business-critical value flows
� Identifying relevant business interruption vulnerabilities as loss of resources
such as supplier, production, storage, and customer
� Assessing the extent based on interruption scenarios, and modeling the
effects quantitatively
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 273
� Prioritizing risks based on financial impact of scenarios, with focus on unac-
ceptable risks in order to develop a beneficial mitigation plan
� Assessing the effectiveness of current business continuity plans and identi-
fying improvement actions
Supply Chain Risk Assessment allows Zurich to improve its reliability and
minimize the effects of a supply chain disruption on its capital and earnings.
Zurich’s supplier risk assessment should help address vulnerabilities that could
inhibit Zurich’s ability to respond to a changing risk landscape. Its supply chain
risk evaluation, mapping, and grading are designed to assess and quantify the
broad areas of exposures and risk controls in its supply chain. This gives Zurich
actionable insights to help facilitate mitigation strategies that can address the char-
acteristics of each supplier individually, including risk transfer options.
The stages of a Supply Chain Risk Assessment include:
� Develop a supply chain/value chain map.
� Gather key supply/supplier details.
� Evaluate risk factor information.
� Define and evaluate potential risk or loss scenarios.
� Develop risk grading for each critical supplier.
� Determine risk strategies.
Business Continuity Management (BCM) includes the mitigation strategies
used to minimize the impact after an incident, with the possible scope of risks com-
ing from supply chain risks, strategic risks, operational risks, technological risks, or
natural hazards. BCM is very useful in identifying gaps in risk mitigation strategies
and improving risk controls to manage those exposures more effectively. As part
of Zurich’s business resilience process, BCM is important for managing the multi-
tude of risk exposures and potential interruptions scenarios and thus strengthen-
ing Zurich’s business resilience program.
Zurich’s Six-Stage Business Continuity Management Life Cycle
1. Modeling key business processes
2. Business impact analysis
3. BCM strategy and processes
4. Business continuity planning
5. Crisis management
6. Training, exercise, maintenance, and assessment
Zurich is able to undertake a regular gap analysis of its business continuity
plans against best practices and common BCM-related standards such as Interna-
tional Standards Organization (ISO), National Fire Protection Association (NFPA)
and the British Standard. It also routinely tests its crisis response activities. For
example, it has planned or completed simulation exercises such as:
� Eurostar trains caught in tunnel
� India: Bomb explosion in hotel where Zurich has employees, impacting the
country where company has operations in Pune, Bangalore, and Chennai
www.it-ebooks.info

http://www.it-ebooks.info/

274 Implementing Enterprise Risk Management
� Fire in Home Office location injuring employees, impacting critical pro-
cesses, and possibly preventing occupancy in location for up to three to four
months
� Los Angeles earthquake
� Kansas tornado
� Political demonstration in New York City
Business Impact Analysis is designed to provide the method to identify the
systems that, when absent, would create a danger to the survival of the organiza-
tion. This analysis can also ensure that these systems receive the correct priority in
any subsequent business continuity plan.
Key stages of Zurich’s Business Impact Analysis include:
� Prioritize the key business services or processes.
� Identify the internal and external risks to the continuity of these business
processes.
� Assess the importance of each risk in terms of both the likelihood and the
financial impact of potential outcomes.
� Establish priorities for mitigating the critical risks.
� Develop a management plan of action.
� Assess the business continuity plan and management plan of action.
HOW ZURICH USES ITS ERM TOOLS TO CREATE
NEW VALUE
In the area of mergers and acquisitions, Zurich may use two opportunity analysis
tools to supplement traditional due diligence practices. Both the Total Risk Pro-
filing tool and the Zurich Risk Room can be used to simulate various risk scenar-
ios and investigate potential outcomes. (See Exhibit 14.10.) When Zurich acquired
holdings in Asia and Latin America, these tools served to help identify and under-
stand the risks associated with the strategy, so they could be managed accordingly
and increase the likelihood of success on these opportunities.
While key performance indicators (KPIs) can help an organization understand
how well it is performing in relation to its strategic objectives, key risk indicators
(KRIs) are leading indicators of risks to business performance. (See Exhibit 14.11.)
Zurich’s ERM tools can add value by helping to determine and embed KRIs
within an operations to provide an early warning that potential risks are on the rise.
Some examples of Zurich using KRIs to monitor risks are in the areas of natural
catastrophe risks (percentage of group shareholder equity), asset-liability match-
ing (duration mismatch), strategic asset allocation (mix of investment across cate-
gories), and credit risk (weighted average credit rating).
Zurich has the opportunity to create value through business resiliency as
well, which addresses disruption to business operations. It can use a combination
of modeling software, supply chain risk assessment software, and business conti-
nuity gap analysis techniques to evaluate its exposure. It has recently appointed a
supply chain risk officer, who reports into Zurich’s CRO organization and is tasked
with finding the appropriate balance between cost and reliability. It has a business
www.it-ebooks.info

http://www.it-ebooks.info/

E
xh
ib
it
14
.1
0
Z
ur
ic
h
B
us
in
es
s
R
es
ili
en
ce
T
oo
ls
275
www.it-ebooks.info

http://www.it-ebooks.info/

276 Implementing Enterprise Risk Management
Key Performance Indicators (KPI)
Progress on organizational targets
and strategic goals
• •






Monitoring of employee activity
completion and budget spend
Measurement of results
Forecasting for planning purposes
Key Risk Indicators (KRI)
Track metrics that are leading
indicators to risk of performance
Measurement based on data of
influencing factors
Ongoing monitoring of the level
and cost of risk against risk
tolerance
Track changes in the risk profile of
business landscape
Exhibit 14.11 Zurich Key Performance Indicators and Key Risk Indicators
continuity planning team throughout its operating regions, and maintains a
robust network of champions within the business, trained to return the business to
operation quickly and efficiently after a disruption. The business continuity team
regularly exercises a variety of plans to ensure that Zurich can be ready for many
potential risk situations. Stress-testing activities take place in parallel to ensure
that the network is prepared to shift workload, deploy contingencies, and remain
operational, particularly when customers may have suffered from the same event.
With new projects or product development opportunities, Zurich can also use
its Total Risk Profiling (TRP) tool to evaluate risk scenarios that may prevent it
from delivering on time, on budget, and with the expected results. Completion of
a TRP analysis is normally required as part of most requests for project approval
and budget. Improvement actions are assigned to risk owners during TRP ses-
sions, and monitored regularly to ensure risk reduction. The TRP tool can also help
with quantifying the potential exposure and risk tolerance level. For example, TRP
was used as an analysis tool before considering outsourcing IT services, helping
to vet the solution as a viable alternative. The risk assessment team assigned risk
improvement actions to individuals, and proceeded with the project. The TRP was
regularly updated and benchmarked throughout the course of the project, as risks
changed and new ones surfaced. The TRP assessment can even be used as a yes/no
decision gate during the project phases to help determine that the expected project
benefits still outweigh the risks.
The TRP methodology can also be used at the board and senior management
levels to help develop strategic (top-down) scenarios that can be applied consis-
tently during operational (bottom-up) assessments across the enterprise. This has
helped to ensure uniform handling of certain systemic issues and exposures to
better balance the risks and rewards of new opportunities. It is very important to
Zurich to set financial parameters around managing current risk issues and guid-
ing key business decisions going forward. The TRP process can build team com-
mitment and focuses management expertise on dedicating resources to mitigate
those risks that are outside the risk tolerance level and pose the greatest barriers to
achieving corporate objectives.
Another use of the TRP methodology is its employment in a risk tolerance
workshop. Establishing a corporate risk tolerance is a critical step in helping
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 277
increase business controls and profitability across an enterprise. The corporate risk
boundary provides a clear indication of both an acceptable risk appetite for new
opportunities and an unacceptable risk threshold for downside cost on potential
exposures. Risk tolerance is often defined as the level of variability that an organi-
zation is willing to accept in its aggregate earnings and capital value at risk (VaR)
limits. It is essential to both define and apply corporate risk tolerance in order to
prioritize the most critical areas for risk improvement. The risk appetite at Zurich is
set by senior management, and then broadly articulated and followed by business
and functional areas.
Zurich’s ERM program also contributes to its core business through the pro-
cesses and procedures to review customer risks. Zurich performs credit checks to
monitor collateral and financial viability of many of its customers and suppliers. Its
cross-divisional Emerging Risk Group is tasked with scanning the horizon for new
exposures that may impact Zurich and its customers. Zurich reviews customers’
loss control techniques and provides best practices guidance through nearly 1,000
risk engineers who specialize in safety and operational risks around the world,
serving the dual purpose of supporting customers’ needs as well as protecting
Zurich’s own portfolio. Last, accumulations within Zurich’s risk portfolio are mon-
itored via a database to identify areas of disproportionate exposure to a single com-
pany, industry, supplier, or geographic location.
CONCLUSION
Every organization’s directors and officers will approach ERM differently in order
to achieve their unique objectives. Zurich has taken many steps to help develop a
strong and effective ERM program. This program did not emerge overnight, but
today Zurich views its ERM program as a competitive advantage well worth the
investment. Despite having embedded a robust program into the fabric of its busi-
ness, Zurich does not rest on its laurels. The program is constantly scrutinized in
search of better ways to identify, assess, manage, and monitor Zurich’s key risks.
The company has even developed an ERM Gap Analysis that can be done yearly
to help determine risk maturity and focus on its top areas for improvement. The
organization’s management continuously looks for opportunities to create a closer
partnership between ERM and the core business, so that its ERM team is ready to
consult and assist the business in understanding risk in pursuit of profit. ERM is
certainly a long journey defined by many paths, but one that can continue to yield
tremendous benefits for the organization.
APPENDIX
Internally, Zurich uses its Risk-Based Capital (RBC) model, which also forms the
basis of the SST model. The RBC model targets a total capital level that is calibrated
to an AA-rated financial strength. Zurich defines RBC as being the capital required
to protect the Group’s policyholders in order to meet all of their claims with a
confidence level of 99.95 percent over a one-year time horizon.
While the Group’s RBC model and the SST model are broadly the same, the
following is a summary of the main differences between the three approaches:
www.it-ebooks.info

http://www.it-ebooks.info/

278 Implementing Enterprise Risk Management
� Model calibration. The RBC calibration is based on a value at risk at a 99.95
percent confidence level, whereas SST calibration is based on an expected
shortfall at a 99 percent confidence level. The Group thereby sets itself a
higher financial strength target than the SST regulatory requirement.
� Scope. Operational and business risks for General Insurance are reflected in
RBC, but are not required in SST.
� Market/ALM risk. The extreme scenario for market/ALM risk in RBC is
directly attributed to that risk, whereas extreme scenarios in SST are aggre-
gated to the combination of all risk types. This treatment of the extreme sce-
nario in the RBC model leads to a more conservative result than in the SST
model.
� Available financial resources (AFR). Senior debt is included in AFR for RBC
purposes, but not included in AFR for the SST calculation.
Zurich uses RBC to assess the economic capital consumption of its business in a
one-balance-sheet approach. The RBC framework is an integral part of how Zurich
is managed. The RBC framework is embedded in Zurich’s organization and deci-
sion making, and is used in capital allocation, business performance management,
pricing, reinsurance purchasing, transaction evaluation, and risk optimization, as
well as regulatory, investor, and rating agency communication.
Zurich compares RBC to its AFR to derive an economic solvency ratio. AFR
reflects financial resources available to cover policyholder liabilities in excess of
their expected value. It is derived by adjusting the IFRS shareholders’ equity to
reflect the full economic capital base available to absorb any unexpected volatility
in the Group’s business activities.
At a Group level, the management committees dealing with risks are:
� The Group Balance Sheet Committee (GBSC) acts as a cross-functional body
whose main function is to control the activities that materially affect the bal-
ance sheets of the Group and its subsidiaries. The GBSC is charged with
setting the annual capital and balance sheet plans for the Group based on
the Group’s strategy and financial plans, as well as recommending specific
transactions or unplanned business changes to the Group’s balance sheet.
The GBSC has oversight of all main levers of the balance sheet, including
capital management, reinsurance, asset/liability management, and liquid-
ity. The GBSC reviews and recommends the Group’s overall risk tolerance.
It is chaired by the CEO.
� The Group Finance and Risk Committee (GFRC) acts as a cross-functional
body for financial and risk management matters in the context of the strat-
egy and the overall business activity of the Group. The GFRC oversees finan-
cial implications of business decisions and the effective management of the
Group’s overall risk profile, including risks related to insurance, financial
markets and asset/liability, and credit and operational risks, as well as their
interactions. The GFRC proposes remedial actions based on regular briefings
from Group Risk Management on the risk profile of the Group. It reviews
and formulates recommendations for future courses of action with respect
to potential mergers and acquisitions (M&A) transactions, changes to the
Zurich Risk Policy, internal insurance programs for the Group, material
www.it-ebooks.info

http://www.it-ebooks.info/

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 279
changes to the Group’s risk-based capital methodology, and the overall risk
tolerance. The GFRC is chaired by the chief financial officer, while the chief
risk officer acts as deputy.
The management committees rely on output provided by technical commit-
tees, including:
� The Asset/Liability Management and Investment Committee (ALMIC)
deals with the Group’s asset/liability exposure and investment strategies
and is chaired by the chief investment officer.
� The General Insurance Global Underwriting Committee (GUC) acts as a
focal point for underwriting policy and related risk controls for General
Insurance and is chaired by the Global Chief Underwriting Officer for Gen-
eral Insurance.
� The Group Reinsurance Committee (GRC) defines the Group’s reinsurance
strategy in alignment with its risk framework and is chaired by the Global
Head of Group Reinsurance.
QUESTIONS
1. How do Zurich ERM tools help them better understand their existing and emerging
risks?
2. How are Zurich’s risk roles and responsibilities impacting their risk culture?
3. Why is it important to include a Business Resilience program in your organization’s ERM
program?
4. How is Zurich’s Capital Management program helping their ERM program?
5. Give some examples on how Zurich has created new value through their ERM program?
REFERENCES
Bugalla, John, Linda Conrad, and Kristina Narvaez. 2013. Presentation given at Risk and
Insurance Management Society Annual Conference in Los Angeles, April 22.
Conrad, Linda. 2013. Presentation given at Risk and Insurance Management Society ERM
Conference in San Francisco, November 4.
Zurich Insurance Group. 2012. Zurich Risk Report.
ABOUT THE CONTRIBUTORS
Linda Conrad is Director of Strategic Business Risk Management for Zurich. She
leads a global team responsible for delivering tactical solutions to Zurich and to
customers on strategic issues such as business resilience, supply chain risk, enter-
prise risk management (ERM), risk culture, and Total Risk Profiling. Linda also
addresses enterprise resiliency issues in print and television appearances, includ-
ing CNBC, Fox Business News, and the Financial Times, and is featured in a Wall
Street Journal microsite at www.supplychainriskinsights.com.
Linda holds a Specialist designation in ERM, and serves on the global Edu-
cation Advisory Board of the Institute of Risk Management in London. Linda is
deputy member of the ERM Committee of the Risk and Insurance Management
www.it-ebooks.info

http://www.supplychainriskinsights.com

http://www.it-ebooks.info/

280 Implementing Enterprise Risk Management
Society (RIMS), sits on the Supply Chain Risk Leadership Council, and was chair-
woman of the Asian Risk Management Conference. She taught at the University of
Delaware Captive program and in the Master’s on Supply Chain Management pro-
gram at the University of Michigan’s Ross School of Business, where she serves on
the Corporate Advisory Council. Linda studied at the Graduate Institute of Inter-
national Studies in Geneva, Switzerland, and Fox Business School.
Kristina Narvaez is the president and owner of ERM Strategies, LLC, which offers
ERM research and training to organizations on various ERM-related topics. She
graduated from the University of Utah in environmental risk management and
then received her MBA from Westminster College. She is a two-time Spencer Edu-
cation Foundation Graduate Scholar from the Risk and Insurance Management
Society and has published more than 30 articles relating to enterprise risk manage-
ment and board risk governance. She has given many presentations to various risk
management associations on topics of ERM. She teaches a Business Strategy class
at Brigham Young University.
www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 15
Embedding ERM
into Strategic Planning
at the City of Edmonton
KEN BAKER
ERM Program Manager at the City of Edmonton, Alberta, Canada
To me, the only good reason to take a risk is that there’s a decent possibility of a
reward that outweighs the hazard. Exploring the edge of the universe and push-
ing the boundaries of human knowledge and capability strike me as pretty signif-
icant rewards, so I accept the risks of being an astronaut, but with an abundance
of caution: I want to understand them, manage them, and reduce them as much as
possible.
—Commander Chris Hadfield1
The Administration of the City of Edmonton in 2012–2013 explored waysto implement enterprise risk management (ERM), with a focus on strategicrisk.
Previous attempts at ERM were not fully implemented, but a new opportunity
arose when Edmonton created a new strategic plan, The Way Ahead, in 2008. With
the strategic plan and goals well established, they required risk analysis to deter-
mine what could prevent the city from achieving its goals and objectives, and how
to allocate scarce resources most effectively to mitigate risks to achieving those
goals and objectives.
The City Administration hired an Enterprise Risk Management Program Man-
ager in 2012 to address the need to implement ERM at a strategic level.
After studying several models and frameworks for addressing risk, and con-
ducting pilot workshops for two of the six directional plans that supported the
strategic plan, The Way Ahead, the ERM Program Manager worked with the Admin-
istration to determine a course of action going forward based on these workshops.
CONTEXT—CITY OF EDMONTON
The City of Edmonton, capital of the western Canadian province of Alberta, has
been a meeting place since the end of the last Ice Age. First settled by Europeans as
a fur-trading post in 1795, Edmonton has grown incrementally, driven by prairie
281
www.it-ebooks.info

http://www.it-ebooks.info/

282 Implementing Enterprise Risk Management
settlement in the 1880s, rail connections in 1891 and 1905, and the Klondike Gold
Rush of 1897. Already an agricultural center, its reputation as “Oil Capital of
Canada” was cemented in 1947 with the discovery of major oil deposits nearby.
Growth since that time was largely based on resource development, and further
accelerated as Edmonton served as hub for new oil sands development in northern
Alberta starting in the 1970s.
Edmonton has grown significantly. In 2013, it was a city of over 800,000,
anchoring an Alberta capital region of over 1.1 million. The city is experiencing
nation-leading economic and population growth2 and is expected to reach 900,000
by 2018.3 It is home for world-leading research in several fields, including
medicine, energy, nanotechnology, and winter city design. Its commercial and
cultural life has earned it the nicknames “Gateway to the North,” “Canada’s
Festival City,” and “City of Champions.”
City Government
Constitutionally, municipalities in Canada are the responsibility of their respec-
tive provincial governments. As such, the City of Edmonton is subject to provin-
cial legislation, mainly the Alberta Municipal Government Act. In 2013 the elected
City Council consisted of the mayor as well as a councillor for each of Edmonton’s
12 geographic divisions (wards). Reporting to Council is the City Manager, and
through him the City’s 11,000 employees,4 divided into five departments.
The Edmonton City Council operates the two-employee model, the second
employee being the City Auditor.
ERM DEVELOPMENT IN THE PAST
In 2003 the Office of the City Auditor (OCA) and Administration jointly created
an ERM framework, the Corporate Business Risk Planning (CBRP) model. Using
input from several city departments as well as external subject matter experts, the
CBRP model was based on the Committee of Sponsoring Organizations (COSO)
risk management framework, with modifications to allow for weighting of risks
at multiple levels of management. The Conference Board of Canada requested
permission to use parts of the framework, in particular the Risk Management
Assessment Framework tool. CBRP was presented to senior leadership in 2005 and
piloted but not fully implemented; it is believed that Edmonton was not yet ready
to undertake the discipline at that time.
City Auditor’s Report
In a 2005 audit report,5 the city auditor reported to the City Council’s Audit Com-
mittee that:
� Known risks were being managed reasonably well.
� Risks that are strategic in nature were not clearly identified.
� ERM results were not consistently incorporated into business plans.
www.it-ebooks.info

http://www.it-ebooks.info/

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 283
Administration Response to City Auditor’s Report
Following the 2005 city auditor’s report, several steps were undertaken to address
the issues raised in the report:
� The chief financial officer was appointed sponsor for the ERM program.
� ERM governance was added to the responsibilities of the City Council’s
Audit Committee, which consists of the mayor, four city councillors, and
two members of the public.
� In 2011 a Program Manager and an ERM Working Committee, made up of
subject matter experts from throughout the Administration, were appointed
to advise on a framework for strategic risk. At this point the 2005 city audi-
tor’s report was closed.6
� An ERM Program Manager was hired in 2012 to assist the Program Manager.
In addition, oversight of the ERM framework selection process was passed
to the Transforming Edmonton Committee (TEC), comprised of senior lead-
ers responsible for the goals within the strategic plan (The Way Ahead),
and from the ERM Working Committee, although the entire ERM Working
Committee was kept abreast of developments.
CURRENT OVERALL ERM DEVELOPMENT
After the city auditor’s report in 2005, Edmonton adopted a 30-year vision and
six 10-year goals, forming the City of Edmonton Strategic Plan, The Way Ahead.
From it were derived six “Ways” plans (directional goals, objectives, performance
measures, and targets) in support of The Way Ahead:
Transform Edmonton’s Urban Form The Way We Grow
Shift Edmonton’s Transportation Mode The Way We Move
Improve Edmonton’s Livability The Way We Live
Preserve and Sustain Edmonton’s Environment The Way We Green
Ensure Edmonton’s Financial Sustainability The Way We Finance
Diversify Edmonton’s Economy The Way We Prosper
At the time of writing, all the directional plans have been approved by City
Council, except for The Way We Finance.
A summary of The Way Ahead and the six “Ways” plans derived from it can be
found in the Appendix at the end of this chapter.
LINKS TO STRATEGIC PLAN AND TO OTHER
STRATEGIC TOOLS
When developing ERM strategy, the following five questions are asked:
1. What are our long-term vision and goals?
2. What strategy will help achieve the vision?
3. What objectives will achieve the strategy?
4. What performance measures will show whether the objectives are achieved?
5. What risks will interfere with achievement of the objectives?
www.it-ebooks.info

http://www.it-ebooks.info/

284 Implementing Enterprise Risk Management
Both performance measurement (PM) and ERM need to be considered when
advancing the strategic objectives. Recognizing this, the Office of the Chief Finan-
cial Officer realigned its Corporate Strategy and Performance section so that the
ERM Program Manager, strategy, and PM staff work together in the same section.
This provides possible opportunities to combine the processes of ERM, strategy,
and PM to gather information for each more efficiently.
Results-Based Budgeting
ERM assists in resource allocation decisions (as shown in Exhibit 15.1) and so
was seen to possibly conflict with budgeting models, including a results-based
Strategic
Objectives
ERM
M
ea
su
re
s
of
Su
cc
es
s
R
isk
M
itigations
Programs and Costs
R
is
ks
to
A
ch
ie
ve
Desired Outcomes
M
itigation
Priorities
Fu
nd
in
gK
PIs
Risk
Assessment
ERM provides risk assessments to mitigate risks to achievement of the Ways.
 
Performance Measurement provides Key Performance Indicators (KPIs) to determine the successful
achievement of the Ways.   
Results-Based Budgeting  provides information to assist with determining funding of programs, initiatives, 
and projects to fulfill the strategic objectives of the Ways. 
1. ERM receives measures of success from Performance Measurement, determines risks to achieve the
objectives. 
 
2. Performance Measurement sends list of desired outcomes to Results-Based Budgeting, and receives lists of 
prioritized programs and costs. 
3. Results-Based Budgeting receives list of risk mitigations from ERM, creates a list of budgeted mitigation
priorities.  

Exhibit 15.1 Relationship between ERM, Performance Measurement, and Results-Based
Budgeting
www.it-ebooks.info

http://www.it-ebooks.info/

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 285
budgeting (RBB) model concurrently piloted by the Administration. The two mod-
els can be reconciled, however. For instance, one of the criteria in the RBB model
for evaluating city programs was the amount and likelihood of risk relative to the
amount of benefit the program was deemed to provide. Conversely, a program’s
quartile rating in RBB could be used as an indicator in the ERM model to deter-
mine a program’s effectiveness in achieving its desired outcome. In this way, both
models could inform each other.
Capital Budgeting Models
Edmonton’s infrastructure branches use sophisticated risk management models
for maintaining and replacing current capital assets, and are introducing risk
assessment into business cases for new capital projects. The strategic ERM model
needs to incorporate these projects at the strategic level.
A graphic showing the linkages between ERM, Performance Measurement,
and Results-Based Budgeting is shown in Exhibit 15.1.
SELECTING AND TESTING A STRATEGIC RISK
MANAGEMENT MODEL
After a review of several ERM frameworks (CBRP, ISO 31000, COSO, etc.), the
Administration decided on a strategy-focused approach. The relationship of strate-
gic ERM as part of the risk universe is shown in Exhibit 15.2.
Such a method was provided in the Risk Scorecard model devised by pm2 Con-
sulting (www.pm2consulting.com). The Financial Services and Utilities depart-
ment (facilitated by the ERM Program Manager) conducted two pilot Risk Score-
cards using the pm2 model, for The Way We Move and The Way We Live. Following
is a description of the pm2 Risk Scorecard methodology.
The WaysStrategic
Project
Operations
Short to medium
term, finite start/end
Day-to-Day
ER
M
Exhibit 15.2 Relationship between Strategic, Project, and Operational Risks
www.it-ebooks.info

http://www.pm2consulting.com

http://www.it-ebooks.info/

286 Implementing Enterprise Risk Management
Pilot pm2 Risk Scorecard Methodology
The Risk Scorecard consisted of six steps, each dependent on the previous one:
1. Weighting of goals in the plan based on what is the highest priority in the
organization to advance
2. Linking of strategic objectives to goals—determine how the strategic objec-
tives contribute to goals, and to what degree (relationship expressed as
low/medium/high)
3. Identification of risks to each strategic objective, scored 1 to 5 in likelihood
and 1 to 5 in impact
4. Identification of how current programs (processes) contribute to achieving
strategic objectives; currently performed—scored 1 to 5 in relationship to
strategic objective and in effectiveness in meeting expectations
5. Identification of planned future initiatives—scored 1 to 5 in relationship to
strategic objectives
6. Identification of possible future mitigations and risk indicators
Deliverables from this process include a risk register, a heat map, and charts
showing each strategic objective’s cumulative levels of risk, program contribution,
and initiative contribution, to show relative effort toward areas of relative risk.
In addition, a list of possible future mitigations and a list of risk indicators (mea-
sures to show as early as possible that a risk may be occurring) can be derived. The
methodology is shown in Exhibit 15.3.
Ideally, risk assessment would have taken place during the creation of strate-
gic planning documents to help determine the most risk-appropriate actions to
achieve the vision and goals. However, the “Ways” documents were created before
ERM was conceptualized in Edmonton. Therefore, pilots were conducted to catch
up to each Ways document by conducting a Risk Scorecard workshop for each one.
Because of the resource commitment of this exercise, workshops could realistically
only be done one at a time. By the summer of 2013, pilot Risk Scorecards for two
Ways documents had been completed or nearly completed: The Way We Move and
The Way We Live.
Initial Planning
After agreeing to the plan between Administration and pm2 Consulting, a facilita-
tor conducted workshops. For the first pilot, three staff members from pm2 Con-
sulting facilitated the workshop; for the second, the ERM Program Manager was
the facilitator. For both pilots, permission for the participation of lead department
staff was sought and received from the general manager of the lead department: for
The Way We Move, Transportation Services; for The Way We Live, Community Ser-
vices. Branch managers for strategic planning for both departments were tasked
to provide subject matter experts from their staff for the entire workshop; each
provided three to five staff members to bring department expertise. In addition,
for steps 2 and 3 (risk Identification and Scoring), senior department staff, mainly
branch managers, were asked to participate in scoring the likelihood and impact
of risk events, and to add to or amend the list of risk events.
www.it-ebooks.info

http://www.it-ebooks.info/

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 287
• The Way We … Goals
• The Way We … Strategic Objectives
• ISO 31000-based checklist
• Identify Risks
• Rate Impact and Likelihood against strategic
objectives
• Rate Impact and Performance against strategic
objectives
• Identify risk indicators
• Determine risk mitigation actions
1. Identify
Strategy
4. Rate Impact and
Performance
2. Identify Key
Risk Elements
3. Score Risk
Elements
5. Determine
Indicators and
Mitigation Action
Exhibit 15.3 pm2 Risk Scorecard Process Diagram
Source: pm2 Consulting, 2012.
Each of the workshops took approximately 60 to 70 hours to complete. To keep
time commitments, some portions of steps that were deemed to be less critical were
omitted.
Step 1: Identify Strategy
The first step in the process is to identify strategic direction. Edmonton had a
30-year strategic plan, The Way Ahead. Using input from the public as well as sub-
ject matter experts, The Way Ahead was approved by the City Council and is the key
planning document for the city going forward. To assist in its implementation are
the six Ways plans noted previously. These documents made strategy identifica-
tion straightforward. For the first pilot, The Way We Move (transportation plan) was
selected. It was considered the best place to start because it was the most homoge-
neous of the plans; responsibility for its implementation was overwhelmingly with
one department, Transportation Services. As well, its format made it essentially a
capital plan, with easily understood objectives and goals.
At this point the ERM team had to decide at what level the strategic weightings
were to occur. Options included the six 10-year goals or the 19 strategic objectives,
among others. It was decided that the strategic objectives would be the appropriate
level of analysis for the risk register. The goals would be at too high a level to be
meaningful, and other criteria would not serve the city’s purpose in addressing the
risk needs of the Ways.
www.it-ebooks.info

http://www.it-ebooks.info/

288 Implementing Enterprise Risk Management
Vibrant, Connected, Engaged, Welcoming
GOALS
THE WAY WE LIVE
Vibrant
Communities
Using Public
Spaces
5
4
4
2
2
3
5
1
3
1
2
4
5
2
5
1
1
4
4 3 4
21
Wgt
12
24
19
10
14
100.0
STRATEGIC OBJECTIVE
1.1 1.2 1.3
Create
Connections
Using
Infrastructure
Integrate
Transit
with
Local
Hubs
Celebrates Life
Caring, Inclusive, Affordable
Safe City
Attractive City
Sustainable City
A
B
C
Exhibit 15.4 Relationship between Strategic Goals and Objectives
Source: Adapted from pm2 Consultants Risk Score Card Model, 2012.
At this point a weighting of the goals was attempted. Subject matter experts,
including the department general manager, allocated a percentage of support to
each of the six goals. (It should be noted that, for political reasons, this weighting
of the goals may be skipped as management may not want to prioritize these at this
time.) The goals were then placed on the vertical axis of a table, with the strategic
objectives across the top. An example of this table can be found in Exhibit 15.4.
For each strategic objective, the subject matter experts (in this case, four people
from the Community Services department) indicated the link to each goal on a scale
of 1 to 5. The larger an objective, the more goals it would relate to, and the higher
weighting it would receive. When this was completed, each strategic objective had
a weighting (C), expressed as a percentage, calculated as:
C = Σ (A × B)∕Σ all columns [Σ (A × B)] × 100
where:
A = Goal weighting (expressed as a percentage)
B = Relationship to objective (1 to 5)
The sums for each column are added together to get a total weighting; the sum
for each column is divided into this total to derive its relative weighting (in this
example, 4 percent).
This gave each strategic objective a weighting. This weighting was then com-
pared to that of every other strategic objective to arrive at a percentage of the total
weighting. This kept the weightings constant in relative terms.
The objectives were then transposed to another table where they formed the
vertical axis, then sorted by their percentage of the total objective weighting, with
www.it-ebooks.info

http://www.it-ebooks.info/

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 289
the highest weightings at the top. This allowed the group to select high, medium,
or low weightings for each strategic objective. This categorization would be carried
on to the next step, risk identification.
Step 2: Identify Key Risk Elements
Using a risk category checklist (a list of categories of potential risks covering all
possible types of risk—e.g., financial, political, partner), the workshop group, with
assistance from a number of subject matter experts, including branch managers,
created a list of risks that could impact the achievement of the strategic objectives.
Step 3: Score Risk Elements
The risks agreed on by the group were then placed across the top of a table with the
strategic objectives listed vertically along the left side. Directly below each risk was
a measure of likelihood of the risk occurring (again on a 1 to 5 scale). The likelihood
score was agreed on by the subject matter experts. The team then scored each risk
to each strategic objective, again on a 1 to 5 scale. This provided two outputs: the
scoring of risks and the risk weighting of each strategic objective. A sample of this
table is shown in Exhibit 15.5.
The risk scores were calculated as:
Σ (D × E × F)
where:
D = Strategic objective weighting (1 for low, 3 for medium, 5 for high)
E = Risk impact on objective (1 to 5)
F = Risk likelihood (from top of column) (1 to 5)
These were summed vertically for each risk.
The risk weighting of each strategic objective was calculated using the same
formula but summed horizontally for each strategic objective.
The risks were then transposed onto a data table with their likelihood and their
weighted impact score (the sum of each D × E calculation for each cell in the col-
umn). This provided the basis for the risk register and the heat map.
At this point, several graphs can be created to show the relative nature of the
risks and the strategic objectives. From a risk-based perspective, a heat map can
be created showing the risks with the highest likelihood and weighted impact
score. The more strategic objectives a risk can affect, the greater is the weighted
impact score for that risk. For strategic objectives, a graph can be produced to show
the strategic objectives most impacted by risk. The more risks affecting a strategic
objective, and with greater impacts, the greater that objective’s weighted risk score.
Step 4: Link Programs, Initiatives, and Risks
The next list required was that of the existing programs currently in place to ful-
fill the strategic objectives. For the ease of the workshop, it was decided to use
www.it-ebooks.info

http://www.it-ebooks.info/

290 Implementing Enterprise Risk Management
Exhibit 15.5 Relationship between Risks and Strategic Objectives
Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.
the list of programs shown in the annual operating budget. Other program lev-
els could have been used, such as that used in the city’s results-based budgeting
(RBB) initiative. This initiative divided budget-level programs into smaller com-
ponents, which would be easier to change but increased the number of programs
tenfold. It was for this reason the RBB-level program list was rejected; the number
of programs in that initiative was exceedingly high.
Once a program level was agreed on, a new table was created, with the pro-
grams across the top and the strategic objectives down the left side. On this table,
the subject matter experts scored the impact of the relationship between each pro-
gram and each strategic objective (on a 1 to 5 scale). In addition, the participants
estimated the effectiveness of each program (i.e., whether it fulfilled the require-
ments of the program), again on a 1 to 5 scale, with 5 meaning the program was
performing as required and 1 meaning the program’s performance was well below
what was required. The difference between what was required of the program
and its actual performance (i.e., 5 minus the effectiveness score) was known as
the strategic gap. An excerpt from this table can be found in Exhibit 15.6.
www.it-ebooks.info

http://www.it-ebooks.info/

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 291
Exhibit 15.6 Linkages between Strategy and Programs
Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.
At this point a new graph could be created, with a vertical bar for each strategic
objective and its cumulative program requirements. Adding the cumulative effec-
tiveness and cumulative strategic gap gave a stacked bar graph whose height was
its cumulative program requirement. The bigger the objective, the more programs
it had and therefore the higher cumulative program requirements (and likely a
proportionally large strategic gap).
The last dimension in step 4 was to list new initiatives the City planned to
implement, and rate their importance to each strategic objective. For the purposes
of the workshop, it was decided to limit the list to those in the Implementation
Plan for each Ways document. Within this set of possibilities, only the initiatives
coded as “will do” (not “already done,” “already doing,” “could do,” or “aspire to
www.it-ebooks.info

http://www.it-ebooks.info/

292 Implementing Enterprise Risk Management
5
4 4
4
2
3
2
5 52 1
2 22 1
1 11 3
1 11 4
4 41 3
5
2
2
2 2
22
4
3
5
1
1
1
1 1
1
1
11
1
5 4
33 3
22
1 4
4
2
3
3
1 12
3 43
1 31
35
Exhibit 15.7 Linkages between Strategy and Initiatives
Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.
do”) were used for the initiatives list, to keep it to a manageable size. With this
list scored by each strategic objective on a 1 to 5 scale, a graph could be produced
showing the cumulative impact of future initiatives on each strategic objective. A
table linking initiatives to strategy is found in Exhibit 15.7.
With the strategic gap and initiatives impact established, the two graphs for
each objective could be combined on one graph to show the cumulative strategic
gap and cumulative initiative impact for each strategic objective. If resources were
properly allocated, one would expect to see a correlation between the height of the
strategic gap bar and the height of the cumulative initiative impact point for each
objective. For viewing purposes, it was necessary to use different scales for each
data series, to best show the correlation. Finally, the risk weighting for each strate-
gic objective could be added to the graph. This showed the relative risks associated
with each strategic objective in relation to its required programs and initiatives.
www.it-ebooks.info

http://www.it-ebooks.info/

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 293
Exhibit 15.8 Strategic Objectives—Risk, Strategic Gap, and Impact of Initiatives
Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.
Overall, a correlation between risk, strategic gap, and initiatives may be observed.
For objectives whose risks do not correlate with strategic gap and initiatives, this
forms the basis of discussion for the objective; in-depth analysis shows the types
of risks, whether they are caused by or independent of the programs comprising
the strategic gap, and whether future initiatives address the risks, either directly
or indirectly. The graph showing risk, strategic gap, and impact of initiatives on
strategic objectives is found in Exhibit 15.8.
Step 5: Determine Indicators and Mitigation Actions
The final step involved completion of a risk indicator worksheet for each risk/
strategic objective combination. This sheet required the user to list potential mitiga-
tion strategies, including required lead time, as well as indicators of inputs, actions,
or outputs that would signal the potential onset of a risk event. The worksheet data
were then summarized in a database indicating strategic objective, risk, mitigation,
lead time, and whether the organization is already undertaking the mitigation.
The database could then be grouped by objective, risk, or mitigation as needed.
On completion of the mitigation database, the final risk scorecard could be
completed. This was a table showing strategic objectives on the left and risks across
the top. For each data point, the impact of the risk on that objective was indicated,
as was its performance (good, fair, or poor shown as medium gray, light gray, dark
gray), and showed the risk level for each objective (the level of potential risk of the
risk element impacting this strategic objective).
This provided a basis of discussion to identify key risks affecting strategic
objectives.
www.it-ebooks.info

http://www.it-ebooks.info/

294 Implementing Enterprise Risk Management
SELECTING AN ERM FRAMEWORK
At the end of the second pilot, each department involved (Transportation Services
for The Way We Move and Community Services for The Way We Live) was consulted
to provide feedback on the process. As a result of the consultations it was decided
to componentize the pm2 model, as some aspects were seen to add more value than
others. In addition, the model as a whole was found to provide levels of complexity
that, while useful, might preclude its successful implementation. Each individual
component could then be compared with other frameworks.
During this time, staff from the Edmonton Police Service (EPS) met with the
Financial Services staff and presented its ERM process, based on the ISO 31000
framework. By provincial law, EPS maintains a separate command structure,
reporting to the City Council through the Edmonton Police Commission. Inde-
pendently, the EPS had, over a span of five years, evolved a mature ERM process
based on in-depth performance measurement tools and impetus from the Police
Commission to proactively identify and treat its risks. The EPS felt at this time that
it could offer to share its ERM model with other city departments on an operational
level. This provided an incentive for the Financial Services department to compare
the pm2 model with the ISO 31000 framework to determine a best solution going
forward. A diagram of the ISO 31000 ERM process is found in Exhibit 15.9.
Comparison of pm2 and ISO 31000 Frameworks
After two pilots of the pm2 framework (with The Way We Move and The Way We
Live), the ERM team evaluated the pilots to provide recommendations for strategic
Establish Context
Identify Risks
Analyze Risks
Evaluate Risks
Treat Risks
Risk Assessment
M
on
ito
r
an
d
R
ev
ie
w

C
om
m
un
ic
at
e
an
d
C
on
su
lt
Exhibit 15.9 ISO 31000 Enterprise Risk Management Process Chart
Source: Based on CAN/CSA-ISO 31000-10, Risk Management—Principles and Guidelines, International
Standards Organization/Canadian Standards Association, 2009.
www.it-ebooks.info

http://www.it-ebooks.info/

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 295
PM RISK SCORECARD 2 ISO 31000
PROS PROS
Strong weighting method Simpler to implement
Includes programs and initiatives Robust global standard
Powerful tool Required for Enviso

CONS CONS
Part of a larger process No programs and initiatives
Complex—hard to implement No direct tie to other processes
Mitigation process hard to implement
Exhibit 15.10 Comparison—pm2 Risk Scorecard versus ISO 31000 Model
ERM going forward. Elements were taken from ISO 31000 and the pilot project. A
comparison of the two frameworks is found in Exhibit 15.10.
RECOMMENDED STRATEGIC ERM MODEL
After reviewing the results from the two pm2 pilots, the ERM team consulted with
the subject matter experts from both operating departments involved in the Risk
Scorecard workshops. The participants saw the logic in the model and had a good
understanding of what was required in the workshop. They also provided valuable
feedback on the usefulness of each section of the model.
All participants regarded step 1, the linking of goals and strategic objectives,
as a strength; in fact, it was believed that this methodology would add value to
other processes as well, such as results-based budgeting. Steps 2 and 3, identifying
and scoring risks, would be core processes for any risk model. Step 4, linking pro-
grams, initiatives, and risks, was regarded as powerful but potentially confusing to
branch managers and, as a result, might not add the expected value to the process.
Moreover, linking programs and initiatives may have also been done with other
processes, making this a duplication of effort. Finally, step 5, while necessary to the
ERM process, was considered to be excessively complex and time-consuming. A
simpler process for determining mitigations and following up was needed. From
discussions with EPS and other research regarding ISO 31000, it was determined
that the ISO 31000 framework held the key to a simpler risk mitigation and review
process. It was also superior to the Risk Scorecard model in that it focused on miti-
gation at the risk level, rather than the strategic objective level, and did not require
a separate worksheet for each risk/objective combination. Finally, because several
city branches were certified to the ISO 14001 (Environmental Management) stan-
dard under Edmonton’s Enviso program, it was noted that upcoming recertifica-
tions would require risk assessment conforming to the ISO 31000 standard.
The final recommended strategic ERM model for the City of Edmonton con-
sisted of four steps, and is shown in Exhibit 15.11.
Step 1 (Weight Goals and Objectives), step 2 (Identify Risks), and step 3 (Assess
Risks) are the same as steps 1 to 3 in the pm2 Risk Scorecard model. Step 4, however,
is based on the “Evaluate Risks” and “Treat Risks” sections of the ISO 31000 RM
www.it-ebooks.info

http://www.it-ebooks.info/


Id
en
tif
y
ris
ks
to
s
tr
at
eg
ic
o
bj
ec
tiv
es
(
fr
om
th
e
W
ay
s
pl
an
s)
u
si
ng
r
is
k

un
iv
er
se
c
he
ck
lis
t

D
et
er
m
in
e
lik
el
ih
oo
d
an
d
im
pa
ct
o
f r
is
ks
to
s
tr
at
eg
ic
o
bj
ec
tiv
es

P
rio
rit
iz
e
ris
ks
b
y
w
ei
gh
tin
g
(li
ke
lih
oo
d
x
im
pa
ct
x
w
ei
gh
tin
g)

D
et
er
m
in
e
ap
pr
op
ria
te
a
ct
io
ns
, a
ss
ig
n
to
r
is
k
ow
ne
rs
, a
nd
fo
llo
w
u
p
1.

W
ei
gh
t

G
oa
ls
a
nd

O
bj
ec
tiv
es
2.

Id
en
tif
y

R
is
ks
3.

A
ss
es
s

R
is
ks
4.

D
et
er
m
in
e

M
iti
ga
tio
ns
5.

R
ev
ie
w

a
nd

U
pd
at
e

Id
en
tif
y
lin
ka
ge
s
be
tw
ee
n
go
al
s
an
d
ob
je
ct
iv
es

G
oa
ls
fr
om
T
he
W
ay
s

O
bj
ec
tiv
es
fr
om
T
he
W
ay
s
E
xh
ib
it
15
.1
1
T
he
C
it
y
of
E
d
m
on
to
n’
s
Pr
op
os
ed
IS
O
31
00
0–
B
as
ed
St
ra
te
gi
c
R
is
k
M
an
ag
em
en
tF
ra
m
ew
or
k
296
www.it-ebooks.info

http://www.it-ebooks.info/

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 297
(risk management) standard. In Step 4, the risks are transposed onto a risk reg-
ister, where each row contains the necessary information for that risk: category,
description, likelihood score, weighted impact score, weighted risk score, risk rat-
ing, risk acceptance, summary comments, current mitigations, future mitigations,
risk owner, status update, and update interval.
An example of the proposed risk register is found in Exhibit 15.12.
LESSONS LEARNED
Several lessons were learned in terms of (1) key success factors and (2) the process
of selecting and implementing a framework. The findings from these two cate-
gories are shown next.
Key Success Factors
Buy-In by Senior Management
Edmonton’s Corporate Leadership Team (CLT, comprised of the city manager and
the general manager of each department) has supported the concept of ERM. At a
senior management level, staff must be able to perceive the value added by ERM.
This makes design of an appropriate ERM process, which can show value to man-
agement, critical to its success. An example of the value proposition is found in
Exhibit 15.13.
In general, the process must have two properties: it must be simple and it must
show the value of doing it.
A critical balance must be struck between model power (i.e., how much infor-
mation it provides) and user-friendliness. A model can provide large amounts of
information but will not be helpful if it is too complex to be understood or too time-
consuming to be considered worthwhile by the users. Conversely, a model that is
too simple will not be helpful, as it will lack the relevance to achieve buy-in.
The pm2 model consists of a number of simple steps performed in sequence to
produce powerful results. These results include comparisons of risk, effectiveness
of current programs, and the impact of future initiatives on achievement of strate-
gic objectives. The challenge for the ERM team is to show the simplicity of the steps
in the model to leaders, to ensure their understanding of the concept and buy-in
to the model. Concerns have been voiced by department staff that the model, as
followed in the pilot Risk Scorecard workshop, may include steps deemed too com-
plex by branch managers. If necessary, some steps can be removed, and the model
stripped to its risk analysis component if other levels of analysis are deemed not
to add value to management, without losing the robustness of the model.
Whatever model is used, it must be customizable to the city’s circumstances.
For example, if branch managers believe a process to be too time-consuming or too
difficult, it must be shortened and simplified to overcome this concern. Conversely,
if the model is considered too simplistic to add value, rigor must be added to the
model to show the value added and to show the time spent to be worthwhile.
Culture of Innovation (Risk-Smart)
In addition to buy-in from senior leadership, ERM also requires a culture of
innovation, where new ideas are embraced and failure is tolerated. At a senior
www.it-ebooks.info

http://www.it-ebooks.info/

E
xh
ib
it
15
.1
2
Sa
m
pl
e
Pr
op
os
ed
R
is
k
R
eg
is
te
r
C
u
rr
en
t
R
is
k
C
u
rr
en
t
R
is
k
R
is
k
A
cc
ep
te
d
?
M
it
ig
at
io
n
Fu
tu
re
M
it
ig
at
io
n
R
is
k
U
p
d
at
e
C
at
eg
or
y
R
is
k
E
le
m
en
t
R
at
in
g
(Y
/N
)
S
u
m
m
ar
y
C
om
m
en
ts
A
ct
io
n
s
A
ct
io
n
s
O
w
n
er
S
ta
tu
s
U
p
d
at
e
R
eq
u
ir
ed
E
co
no
m
ic
E
co
no
m
ic
sl
ow
d
ow
n
re
su
lt
s
in
in
cr
ea
se
d
d
em
an
d
s
on
So
ci
al
Su
pp
or
ts
M
ed
iu
m
N
o
S
tr
at
eg
ic
O
u
tc
om
es
:
H
ig
he
r
d
em
an
d
s
ar
e
pl
ac
ed
on
ex
is
ti
ng
pr
og
ra
m
s,
re
su
lt
in
g
in
re
d
uc
ed
ov
er
al
ls
er
vi
ce
le
ve
ls
R
is
k
N
ot
A
cc
ep
ta
b
le
:
E
co
no
m
ic
sl
ow
d
ow
n
w
ill
re
qu
ir
e
th
e
C
it
y
to
pr
io
ri
ti
ze
pr
og
ra
m
s
an
d
re
al
lo
ca
te
re
so
ur
ce
s
to
pr
ov
id
e
so
ci
al
se
rv
ic
es
in
th
e
m
os
t
ef
fe
ct
iv
e
m
an
ne
r
D
ev
is
e
sc
al
ab
le
pl
an
fo
r
pr
og
ra
m
pr
io
ri
ti
za
ti
on
C
L
T
E
co
no
m
ic
co
nd
it
io
ns
ar
e
m
on
it
or
ed
co
ns
ta
nt
ly
no d
ow
nt
ur
n
d
et
ec
te
d
to
d
at
e
(4
O
ct
.1
3)
6
M
on
th
s
298
www.it-ebooks.info

http://www.it-ebooks.info/

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 299
Enterprise Risk
Management
Better
Information
Quality
Decisions
Enhanced
Performance
More Value for
Citizens
Exhibit 15.13 The ERM Value Proposition
Source: Integrated Risk Management “Building Bridges: City of Winipeg, Audit Department”, February
2009.
management level, the Transforming Edmonton Committee (TEC) is responsible
for overseeing strategic planning and successful achievement of the city’s strategic
goals under The Way Ahead. Ensuring that the TEC understands the relationship
between strategy, ERM, and performance measurement (PM) is key to successful
ERM implementation.
Governments have traditionally been regarded as risk-averse, as political
opponents would pounce on any perceived error by the government. To enable
a culture of innovation, however, the organization must move from a risk-averse
view to a risk-aware view, in which it openly recognizes the risks it faces. Finally,
as the organization fully embraces its culture of innovation, it must move from a
risk-aware view to a risk-smart view, where risks are embraced, well-managed,
and mined for opportunities.
Consistency of Model across the Ways
The ERM Program Manager, as facilitator of the workshops, must ensure that con-
sistent standards are maintained in weighting objectives, defining risks, and deter-
mining mitigations and feedback.
A strength of the pm2 model is its robustness. This robustness stems from the
model’s system of weighting of strategic goals and objectives. Even if a future City
Council drastically changed the prioritization of the goals, the model would auto-
matically adjust for this change and update the risk register and other outputs
accordingly. Other models would require an in-depth review of each risk in light
of such a change.
This weighting system for goals and objectives can potentially be carried over
to other management processes as well. For example, the results-based budgeting
(RBB) model currently being tested by the City also has a weighting system for
city programs to prioritize them. In addition, performance measures can be simi-
larly prioritized to determine which ones carry the highest priority and therefore
warrant the most scrutiny.
Another strength of the pm2 model is that it does not differentiate between
operating and capital items. Often a strategic objective has both a capital and an
operating component (e.g., construction of a new recreation center and staffing and
maintaining it afterward), which are dealt with in separate operating and capital
budget cycles.
Resource Requirements on Department Subject Matter Experts
Each step in the ERM framework requires input at a senior management level in
each operating department. Cumulatively these time requirements can be mate-
rial for senior management already dealing with the resource constraints of their
regular duties. The challenge for the ERM and other models is to minimize the time
required of city staff to avoid push-back from project fatigue, which would impact
the success of the ERM program.
www.it-ebooks.info

http://www.it-ebooks.info/

300 Implementing Enterprise Risk Management
Department Accountability for Key Risks
When key risks are identified, the department in question must take ownership of
the model and assign key risks to designated risk owners. These individuals will
be responsible for devising and implementing mitigation strategies and reporting
results at appropriate intervals.
Findings on the Process of Selecting and
Implementing a Framework
Implementing an ERM framework typically takes longer than expected. More time
seems to be spent getting buy-in for the concept from the C-suite and devising an
appropriate model than one could ever predict. Rarely do off-the-shelf frameworks
exist that can be employed in short order; plans usually have to be tailored to fit
the organization’s unique circumstances. Some of Edmonton’s learnings from this
ERM implementation include the following.
There is no perfect system. What works for one organization may not work
for another. What is necessary is flexibility. Any system must be simple enough to
understand, robust enough to be usable in any area of the organization, and pow-
erful enough to add value in decision making. In addition, it may be preferable to
create a hybrid approach, taking the best parts of two or more competing systems
to create one that best meets the organization’s needs.
No matter how good an ERM framework is, if senior leadership does not buy
in to the framework, it cannot succeed, as management will need to see the use-
fulness and cost justification. Three frameworks were presented to senior leader-
ship between 2005 and 2013; all were sound and based on extensive research and
knowledge of risk management principles. All were found by senior leadership to
be either too complex or not a fit to Edmonton’s needs.
It may be problematic to try to roll out an entire system at once. In the ini-
tial ERM planning phases there seems to be a tendency to try to hit a home run;
that is, to roll out a perfect ERM system at strategic, project, and operating levels
all at once. It may be the most efficient in theory, but in practice it requires a pro-
hibitive amount of up-front resources. It ignores the learning curve managers have
in learning about ERM, how it applies to them, and how to do it. This leads to the
next point.
It may be preferable to introduce one phase of ERM at a time. In Edmonton’s
case, previous attempts at an ERM framework were unsuccessful because they
went against the stated wishes of the Corporate Leadership Team (CLT). One
of the CLT’s main drivers for action on ERM was the 2005 city auditor’s report,
which identified issues mainly with strategic risk. With this in mind, the CLT
wanted primarily to focus just on strategic risk, not on an overall framework. In
terms of a corporate rollout, then, phase 1 was to be strategic risk; project risk and
operational risk could be dealt with later, as these were lower priorities for the
CLT and the city auditor.
When working with operating departments on a framework (even a pilot), it
is important to define clearly what you want to accomplish with the operating
departments in question. In this case, it was clearly defined that the department
owned the risk register and was responsible for its content; the ERM team’s role
was to maintain it. Going forward, the ERM team’s role was also that of facilitator,
coach, and mentor to the department staff.
www.it-ebooks.info

http://www.it-ebooks.info/

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 301
CONCLUSION
At time of writing, the recommended strategic ERM model was being fine-tuned
for the remaining Ways documents, pending feedback from the teams involved in
the two pilot Risk Scorecards.
In the longer term, the ERM Program Manager recommended further consol-
idation of the ERM model by ensuring links to project risk management, and by
harmonizing operations’ risk management practices with the ISO 31000 risk man-
agement standard, to provide consistent risk management methods to all areas,
many of which are already practicing ERM, but using different formats.
Finally, the process of ERM needs to be tied to the process of performance
measurement going forward. As strategic performance measures are created or
amended, the risks to achieving them need to be identified at the same time, to
provide the most efficient and effective means of ensuring that the measures of
success can be achieved.
APPENDIX: SUMMARY OF THE WAY AHEAD,
EDMONTON’S STRATEGIC PLAN
The City of Edmonton developed a strategic plan in 2008 called The Way Ahead. It
contains:
� A 30-year citizen-built City vision, describing Edmonton’s future
� Six 10-year strategic goals: Transform Edmonton’s Urban Form; Shift
Edmonton’s Transportation Mode; Improve Edmonton’s Livability; Pre-
serve and Sustain Edmonton’s Environment; Ensure Edmonton’s Financial
Sustainability; and Diversify Edmonton’s Economy
� Corporate outcomes, performance measures, and targets
The Way Ahead was developed using the principles of integration, sustainabil-
ity, livability, and innovation. It was built on a strong base of programs and services
that already exist.
The Way Ahead has provided a foundation for prioritization and decision mak-
ing. Since 2008, continual improvement has been made to the plan.
To better understand and measure how Edmonton is advancing the vision and
10-year goals, corporate outcomes for all six 10-year goals and performance mea-
sures for five of the six goals were developed in 2010. Performance measure targets
for three of the six goals were approved in 2011. The Way Ahead was updated in 2011
to reflect this progress.
Over the past five years, the city has developed several directional plans to
help achieve The Way Ahead.
Directional plans, referred to as the Ways plans, have been established to focus
the city’s work in both the achievement of the 10-year strategic goals and in deliver-
ing existing services to citizens. Accompanying Ways implementation plans were
also developed to outline specific initiatives and actions that contribute signifi-
cantly to the achievement of the Ways plans. The following chart shows each of
the plans and when they were created.
www.it-ebooks.info

http://www.it-ebooks.info/

302 Implementing Enterprise Risk Management
Directional Plans Implementation Plans
� The Way We Grow: Municipal Development
Plan (2010)
� The Way We Move: Transportation Master
Plan (2009)
� The Way We Live: Edmonton’s People Plan
(2010)
� The Way We Green: Edmonton’s
Environmental Strategic Plan (2011)
� The Way We Finance: Edmonton’s Financial
Sustainability Plan (under development)
� The Way We Prosper: Economic Development
Plan (2013)
� The Way We Grow Implementation Plan
(2013 to Council)
� The Way We Move Implementation Plan
(2012)
� The Way We Live Implementation Plan
(2012)
� The Way We Green Implementation
Plan (2013 to Council)
� The Way We Prosper Implementation
Plan (under development)
In addition, the city is taking a results-based approach to aligning resources
with the vision and 10-year strategic goals. Results-based budgeting is about
emphasizing performance and accountability.
The following chart shows the alignment between The Way Ahead, Ways plans,
and operational planning.
www.it-ebooks.info

http://www.it-ebooks.info/

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 303
QUESTIONS
1. What other strategic processes are closely tied to ERM?
2. What three kinds of risks are identified within the City of Edmonton?
3. What two criteria must be balanced in a successful ERM model?
4. Who is responsible for dealing with and mitigating risks?
5. To what body must the City’s strategic risks be reported?
NOTES
1. Chris Hadfield, An Astronaut’s Guide to Life on Earth (Toronto: Random House Canada,
2013).
2. Conference Board of Canada, “Economic Insights into 13 Canadian Metropolitan
Economies,” August 20, 2013.
3. City of Edmonton, “Economic Insights, Economic Outlook 2012–2013,” October 26, 2012.
4. City of Edmonton, Corporate Services, Human Resources Branch, HR Research, Statistics
& Reporting Group, November 25, 2013.
5. City Auditor Report, “ERM Corporate Business Risk Planning,” August 25, 2005.
6. Ibid.
ABOUT THE CONTRIBUTOR
Ken Baker is ERM Program Manager for the City of Edmonton. He is responsible
for developing and implementing a strategic ERM model for the city. In addition
to strategic risk, he also liaises with other areas of risk management within Edmon-
ton to find areas of commonality, to assist with project risk management, and to
investigate standardization of operational risk management among city depart-
ments. Finally, he acts as mentor and subject matter expert for areas requesting
ERM expertise, as well as implementation of risk management into other business
planning models such as operating budgets, operating business plans, and capital
plans.
Ken is a Certified Management Accountant (Alberta) and serves on the Finance
Committee of the Risk and Insurance Management Society (RIMS). Prior to his
work with the City of Edmonton, he was Controller at the Alberta Urban Munic-
ipalities Association, where ERM development was included in his mandate. He
also held a number of accounting positions in Canada and Sweden. Ken has a bach-
elor of commerce degree from the University of Alberta School of Business.
www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 16
Leveraging ERM to Practice
Strategic Risk Management
JOHN BUGALLA
Managing Principal, ermINSIGHTS
JAMES KALLMAN
Assistant Professor, St. Edward’s University
Enterprise risk management (ERM) emerged more than 15 years ago as anall-encompassing alternative to the then traditional fragmented approachto risk management. This previous disjointed style is sometimes referred to
as managing individual risks in stand-alone silos or stovepipes. Risk management
practitioners started to flesh out and test the theory. Early practical applications
took the form of integrated risk programs that combined selected hazard risks and
financial risks.1
As the ERM process was debated and matured, practitioners started to include
operational risks within their portfolio. Risk registers emerged that organized
the various identified risks into categories that now included hazard, financial,
and operational risks. Hazard risk examples include fires, lawsuits, and strikes.
Financial risk examples include commodity price volatility, inflation, and currency
exchange rate fluctuations. Operational risk examples include process disruptions,
compliance failures, and technology breakdowns.2
ERM practitioners began encountering internal organizational push-back
because the process was inappropriately seen as (1) reactionary and (2) an unneces-
sary expansion of audit and compliance. Peter Drucker once stated, “The purpose
of business is to create and keep a customer.”3 Recognizing the corporate imper-
ative to grow the business, proponents of ERM postulated that they could indeed
bring new utility to the process by aligning with, and supporting, corporate busi-
ness goals, rather than just focusing on the downside of risk management. The
methodology utilized to integrate ERM into alignment and support of overall busi-
ness goals is to incorporate the ERM process into longer-range strategic planning
and annual business plans. ERM practitioners added another new risk category to
their portfolio: strategic risks. Strategic risk examples include social, technological,
economic, environmental, and political situations that are much broader in scope
and longer in impact. The expanded risk portfolio is far more vibrant because it
inserts the ERM process into the growth side of the business. ERM moves from
305
www.it-ebooks.info

http://www.it-ebooks.info/

306 Implementing Enterprise Risk Management
supporting only a defensive function to include a more balanced approach that
supports growing the business.
The original vision of ERM as an all-encompassing alternative to traditional
risk management expands if executive management utilizes the ERM process to
support improved decision making to both protect and grow the business. Practic-
ing strategic risk management requires risk-adjusted decision making.4 However,
leveraging ERM to practice strategic risk management depends on executing on
three different, but related, variables:
1. Executive managements’ willingness to reexamine the purpose of ERM—
away from purely control and compliance to a strategic function
2. Positioning and leveraging ERM within the organization to support longer-
range strategic planning and annual operational business goals
3. Making risk-adjusted decisions and practicing strategic risk management
by utilizing new tools and techniques to measure the value created or pro-
tected by adopting the ERM process
ERM: A REEXAMINATION OF PURPOSE
Metaphorically, ERM can be compared to a tree5 with branches growing in vari-
ous directions. The enterprise risk management process has emerged from its fun-
damental risk management roots: preserving assets, protecting people, and com-
plying with laws and regulations. The ERM tree developed several new branches
growing in multiple directions during its initial growth period.
A standard ERM framework does not yet exist. After more than a decade of
evolution, the various different national standards or artificially created frame-
works and differing lexicons for marketing and commercial purposes that had
existed have been reduced to two.6 There is the framework developed by the
Committee of Sponsoring Organizations (COSO) and the framework and lexi-
con developed by the International Organization for Standardization (ISO). These
two different frameworks have different DNA. The COSO sponsoring organiza-
tions are (1) the American Accounting Association, (2) the American Institute of
CPAs, (3) Financial Executives International, (4) the Association of Accountants
and Financial Professionals in Business, and (5) the Institute of Internal Auditors.
COSO’s DNA is the financial reporting scandals of the early twenty-first century.
ISO 31000:2009 is designed to be the standard principles and guidelines; it pro-
vides principles, framework, and a process for managing risk. However, actual
risk management practice by a cross section of organizations indicates that hybrid
frameworks are being utilized because some organizations reject strict adherence
to either of the two self-proclaimed standards.7 The hybrid idea is that the best
parts of both frameworks produce a more customized model that better serves the
needs of an organization, such as providing a unique competitive advantage. There
also is still considerable confusion over the purpose of ERM. Some organizations
view ERM as a strategic function, while others still see ERM as only a control and
compliance function.
Another reason ERM has lacked a uniform standard is the way commercial
firms sell ERM. The marketing of ERM by professional services firms mirrors the
services and product offerings that are the core business services of those firms. For
www.it-ebooks.info

http://www.it-ebooks.info/

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 307
example, accounting and audit firms view ERM through the lens of audit, compli-
ance, and control, whereas insurance brokers see ERM through the supply chain
lens that leads them to a range of insurance-based products. Financial institutions,
such as banks, see ERM as a methodology to comply with laws and regulations.
And consulting firms focus on utilizing ERM in strategy and organizational struc-
ture. Additional branches on the ERM tree have been created by other specialties
such as information technology (IT), business continuity, and crisis management.
The shape of ERM within organizations is largely dependent upon which
branch of the ERM tree it emerged from. The practice of ERM will be biased
toward the partisan internal forces claiming ownership of the process. For exam-
ple, accounting firms may place compliance at the top of the tree. In contrast, insur-
ers put financial outcomes and statutory regulatory requirements at the top, sub-
jugating all other actions to creating economic value. As another example, utilities
place reliability at the pinnacle of the ERM tree, knowing that is their core mission.
The lowest branch on the tree closest to the base represents the earliest forms of
ERM. They were called ERM programs in the financial press, but were in actuality
integrated risk programs. One such program that received a great deal of attention
in the financial press in the late 1990s was the United Grain Growers (UGG) ERM
program.8 The fruit of this branch was creative financing of historically heteroge-
neous risk categories into new blended programs (i.e., volume risk combined with
hazard risks). Creative financing came from aggregating these different kinds of
risks into a blended multiyear basket, sometimes coupled with an exotic trigger.
Two additional limbs appeared in quick succession in 2001 and 2002. In the
wake of 9/11, the business continuity planning branch emerged with a focus
on disaster preparedness and emergency response planning. A renewed empha-
sis on physical security and system redundancy was accompanied by terrorism
risk assessments, modeling of man-made disasters, and the passage of the Ter-
rorism Risk and Insurance Act (TRIA).9 IT departments and asset managers led
the way in nurturing these branches. Another compliance-related branch grew
out of the Enron implosion and other issues of corporate fraud. These fiduciary
breaches led ultimately to the Sarbanes-Oxley Act,10 the creation of the COSO ERM
Framework,11 and passage of the Dodd-Frank Wall Street Reform and Consumer
Protection Act.12
Yet another branch in the compliance and audit family that emerged over
the past few years is called governance, risk, and compliance (GRC). This branch
focuses on blending the ERM approach to include corporate governance and risk
management requirements from entities such as the New York Stock Exchange.
This branch gains its support from audit firms and information technology
providers.
As the United States embraces the general concept of sustainability, a new
ERM branch has grown to include the green movement. One such branch includes
John Elkington’s concept of the triple bottom lines of profit, people, and planet.13
From this perspective, ERM is seen as being more holistic about the risks faced
by businesses in executing their strategies. In addition to managing variation in
a business’s economic performance, this ERM approach also includes assessing
the impact on social justice performance and environmental stewardship. The
social justice aspect requires an analysis of how risks impact stockholders, but also
customers, vendors, governments, and employees. The environmental aspect has
www.it-ebooks.info

http://www.it-ebooks.info/

308 Implementing Enterprise Risk Management
broadened the vocabulary of ERM. Terms like cap and trade, carbon footprint, and
sustainable development have worked their way into the risk management lexicon.
Company stakeholders have expanded far beyond employees, owners, and cus-
tomers to encompass literally the entire world.
Several years ago another new branch started to grow where the idea was that
the ERM process could support the addition of new measurable value to an orga-
nization. Adherents to this philosophy view ERM as encompassing both threats
and opportunities. The practitioners in this camp consider leveraging risk to take
advantage of the upside of opportunities, while at the same time addressing the
traditional downside of risk. While some of the opportunities identified can be
transactional or product-related in nature, by and large ERM should be focused on
supporting business strategies. In this way ERM can be utilized to take advantage
of operating conditions by aligning business growth opportunities with agreed
risk appetites and tolerances to overall organizational goals: risk-adjusted deci-
sion making. Executive managements’ willingness to reexamine the purpose of
ERM is the first key element toward recognizing that it is a strategic function that
supports reducing the impact of adverse advents and exploiting opportunities to
achieve better outcomes.
REGULATORY ENVIRONMENT
The metaphoric ERM tree, like its counterpart in nature, must adapt to its environ-
ment in order to thrive. The ERM tree is growing in an environment of increased
regulation by various federal agencies. Reacting to the consequences of the recent
Great Recession, provoked mainly by the financial crisis of 2008–2009, the two most
important new (2010) regulations (at least in the United States) affecting both the
growth and practice of ERM are (1) Securities and Exchange Commission (SEC)
Amended Rule 33-9089,14 and (2) the Dodd-Frank Wall Street Reform and Con-
sumer Protection Act.15
SEC 33-9089 clearly places the oversight of risk management with the board
of directors at publicly traded companies. Dodd-Frank’s Section 165 mandates the
formation of a stand-alone board-level risk committee consisting of independent
directors, practicing enterprise-wide risk management, and requiring a chief risk
officer (CRO) within the financial sector.
More recently (January 5, 2012), the Board of Governors of the Federal Reserve
proposed “Enhanced Prudential Standards and Early Remediation Requirements
for Covered Companies.”16 Far more prescriptive and detailed mandates have
been added to the original Section 165 that include:
� Board-level risk committees to be chaired by an independent director for
bank holding companies over $10 billion, increasing the reach of the legis-
lation to a greater number of institutions than the originally announced $50
billion
� A specific list of “Responsibilities of Risk Committee”
� “Appointment of CRO” who will report directly to the chief executive officer
and board-level risk committee
� A specific list of responsibilities and actions by the CRO
The proposed “Enhanced Prudential Standards and Early Remediation
Requirements for Covered Companies [R-1438],” provides not only the detailed
www.it-ebooks.info

http://www.it-ebooks.info/

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 309
responsibilities of the risk committee of the board of directors, but insights into
just how deep the Federal Reserve is attempting to reach within the governance
structure of publicly traded companies within the broader financial sector.
The requirement for a separate and stand-alone risk committee of the board of
directors with a CRO, reporting directly to the risk committee and the CEO, indi-
cates the high level of importance the Federal Reserve is giving to the implementa-
tion and administration of enterprise-wide risk management. Tearing down indi-
vidual internal risk silos that inhibit collaboration and communication across the
enterprise about identified risks and intelligence about emerging risks and oppor-
tunities should be a priority on the risk management agenda.
� “[T]he board proposes that covered company and over $10 billion bank hold-
ing company risk committee must be chaired by an independent director.
The board views the active involvement of independent directors as vital
to robust oversight of risk management and encourages companies gener-
ally to include additional independent directors as members of their risk
committees.”17
� “Specifically, the Board believes that best practices for covered companies
require a risk committee that reports directly to the Board and not as part
of or combined with another committee.” Thus, “the proposed rule would
require a covered company’s risk committee not be housed within another
committee or be part of a joint committee.” In addition, “the proposed rule
would require a covered company’s risk committee to report directly to the
covered company’s board of directors.”18
� A separate stand-alone risk committee, not a part of or combined with the
existing audit committee, is a signal or reminder by the Federal Reserve that
the two committees (audit and risk) have different functions and respon-
sibilities. The risk committee’s responsibilities are to document and oversee
the enterprise-wide risk management policies and practices of the company.
The risk committee’s agenda is:
[to review and approve] an appropriate risk management framework that
is commensurate with the company’s capital structure, risk profile, com-
plexity, size, and other appropriate risk-related factors. The proposed rule
specifies that a company’s risk management framework must include: risk
limitations appropriate to each business line of the company; appropriate
policies and procedures relating to risk management governance, risk man-
agement practices, and risk control infrastructure; processes and systems
for identifying and reporting risks, including emerging risks; monitoring
compliance with the company’s risk limit structure and policies and proce-
dures relating to risk management governance, practices, and risk controls;
effective and timely implementation of corrective actions; specification of
management’s authority and independence to carry out risk management
responsibilities; and integration of risk management and control objectives
in management goals and the company’s compensation structure.19
� Appointment of a chief risk officer (CRO): “. . . in ensuring the effective
implementation of a covered company’s risk management practices, the pro-
posed rule would require a covered company’s CRO to report directly to the
risk management committee and the chief executive officer.”20
www.it-ebooks.info

http://www.it-ebooks.info/

310 Implementing Enterprise Risk Management
As the name Dodd-Frank Wall Street Reform and Consumer Protection Act
states, the law is aimed at the financial sector. However, the Act provides a
model, or benchmark, of sound risk management practices that could be utilized
(with some modification) in all industry sectors. The Federal Reserve model could
strengthen ERM’s core trunk if it does indeed become the de facto enterprise risk
management standard and migrate from the financial sector to general business.
The influence of the Federal Reserve cannot be understated, but adoption of its
model by all publicly traded companies will take many more years without a spe-
cific push from regulators in other industries.
One example of how Dodd-Frank can extend the Federal Reserve model and
reach, and has now done so, is the creation of the Financial Stability Oversight
Council (FSOC). This group identifies and monitors excessive risks to the U.S.
financial system arising from the distress or failure of large, interconnected bank
holding companies or nonbank financial companies. In July 2013, the FSOC named
the first nonbank financial companies considered systemically important finan-
cial institutions (SIFIs): American International Group and GE Capital. Prudential
Financial, Inc. was added to the list in September 2013. These companies will now
come under the supervisory standards, including examinations, established by the
Board of Governors of the Federal Reserve for the first time.
LEVERAGING ERM TO PRACTICE STRATEGIC
RISK MANAGEMENT
ERM is a business management support process. For several years, proponents of
ERM have been advocating incorporating the ERM process into strategic and busi-
ness planning to increase its utility. Their goal is to promote risk-adjusted decision
making that can better assist management in addressing the outside forces (such as
political, economic, technological, legislative, social, and environmental) that will
cause the variations from performance or planned outcomes that will inevitably
occur over a multiyear time line. Some outside forces will inhibit success, while
others will improve the operating environment. The specific purpose is to reduce
the impact of adverse events and be ready to exploit emerging opportunities. The
challenge is adapting the ERM process within the existing strategic and business
planning methodology.
The word strategy has its roots from the Greek strategos (a compound of stratos,
for an encamped army spread out over ground, and agein, to lead,21 which explains
its initial definition of “the art of generalship”). Strategy can be defined as a careful
plan or method for achieving a particular goal, usually over a long period of time,
and the skill of making or carrying out plans to achieve a goal.22 Another defini-
tion is: “A company’s strategy is a series of choices, to be effective it must remain
consistent with what’s happening in its competitive environment.”23
Organizations that view the ERM process as supporting business strategies
should consider positioning it where the primary goals are both to grow the busi-
ness and to protect value: corporate planning (longer range) and the business units
(annual). Exhibit 16.1 is a model designed by the authors that can be utilized to
incorporate ERM into the strategic and annual business planning process. How-
ever, before positioning can occur, the entire organization should understand the
vision, mission, and purpose of ERM. This can be accomplished by creating a
www.it-ebooks.info

http://www.it-ebooks.info/

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 311
Incorporating ERM into Strategic Planning Model
Longer
Range
Strategic
Plan
Annual
Business
Plans
Risk
Owners
Identified
Budget
Allocation
and
Resources
Scenario Planning &
SWOT Analysis
Execution
Risk
Perception
Map**
Political
Economic
Technological
Socio-
Demographic
Environmental
Legislative
Internal Audit
Perspective
of Controls
ERM
Risk
Register
Senior
Management’s
Perceived
Levels of Risk
and
Current
Risk
Response
Risk Appetite(s) and
Risk Tolerance Statement
What Risks Can We Take?
How Much Risk Can We
Take?
When Do We Take the Risk?
Who is Willing to Take the
Risk?
Value Mapping
What Are the Measurable
Benefits to Taking the Risk?
Internal Scan
Risk Context
*From Francis J. Aguilar, Scanning the Business Environment (New York: Macmillan, 1967).
**From Pedro C. Ribeiro, “Predictable Project Surprises: Bridging Risk-Perception Gaps,” Ask Magazine,
August 11, 2013.
Assessment
Process Articulation
External View
PESTLE*
Exhibit 16.1 Incorporating ERM into the Strategic Planning Process
Used by permission of John Bugalla and James Kallman, © Copyright 2013, John Bugalla and James
Kallman.
formal ERM charter. The ERM charter serves as an internal blueprint for both exec-
utive leadership and middle management to follow. The optimal time to create the
charter is in the ERM planning stage, before it has been implemented. The charter
will set the tone at the top for ERM in one of two directions: (1) Risk management is
a strategic support function, or (2) risk management is a control function. In Exhibit
16.1 risk management is a strategic support function.
The initial step comprises three internal scan elements: (1) surveying the C-
suite about leaders’ current perceptions about risks and their management, (2) sur-
veying Internal Audit about their perspectives on the current level and effective-
ness of risk controls, and (3) creating an ERM risk register. The surveys will enable
a comparison between the current state of risk management activities and the cor-
responding risk control efforts. The ERM risk register is a tool for organizing the
identified risks and their internal owners.
The external view serves several purposes. It begins to incorporate the ERM
process into strategic planning steps. The external view provides an opportunity
to identify the outside forces that present both risks and opportunities to the
organization—the two sides of the business decision coin. Coupling risks and
opportunities together provides a broader and more complete view that makes for
a far better assessment process and decision making. The authors have indicated
some of the tools and techniques that can be utilized to complete the assessment
process, including a detailed description of a new tool that is presented later in
this chapter.
www.it-ebooks.info

http://www.it-ebooks.info/

312 Implementing Enterprise Risk Management
If the ERM and strategic planning process have been merged, the results
should be seamlessly incorporated and articulated into the longer-range strategic
and annual business plans. Both plans articulate how the organization will achieve
its business goals. However, neither plan provides certainty that the planned per-
formance will be achieved—analogous to von Moltke’s statement “No battle plan
survives contact with the enemy.”24 The goal is to reduce the impact of adverse
events and exploit opportunities to achieve better outcomes around the planned
performance objectives.
MANAGING AND MEASURING VALUE CREATION
At the enterprise level, a risk identification and assessment exercise at a global
company can develop a list of risks sometimes numbering in the hundreds. Such
an expansive list of risks requires organization. One approach to organizing the
list is to create a risk register. The purpose of a risk register is to sort the risks
into categories, describe their characteristics, and rank them. Bringing additional
order to a cumbersome risk register is a risk map—a kind of executive summary
of the risk register in a pictorial format. A risk map is a graphical snapshot of the
key identified risks—usually the top 10 risks. Including all the risks identified on
a risk map would render it indecipherable.
The key question practitioners should be asking about these tools is: Who ben-
efits from the time-consuming and expensive exercise of creating a risk register that
sometimes contains hundreds of risks, and the associated risk map? If the benefit
is limited to a single function, that suggests a limited and narrow purpose of the
organization’s risk management program.
Traditional risk maps are insufficient for many reasons. One key shortfall is
that traditional risk maps do not properly plot risks. The common objective defi-
nition of risk in risk management, finance, and statistics—”the variation from an
expected outcome over time”25—includes three parameters. Traditional risk maps
plot only two variables that make up the expected outcome: (1) the probability of
an event and (2) the value of that loss. Rarely do they plot gains. But conspicuously
missing from traditional risk maps are variation and time. All four variables must
be plotted in order to provide complete information about the risks.
RISK MANAGEMENT FAULT LINE
Being in business, however, is about taking risks. Examples include expanding
new product lines, investing in research and development, looking for mergers
and acquisitions, and exploring geographical expansion. Organizations undertake
these and other activities to grow the business. All involve taking risks. None are
guaranteed successes. Managing the threats associated with taking risk is required
(traditional risk management), but so should identifying and assessing the upside
gain of the opportunities associated with taking those risks (speculative risk man-
agement). Measuring both the downside and the upside of risk taking in terms
of a metric that is meaningful to the organization, such as earnings per share for
a publicly traded company, provides a context that can be utilized to determine
the type and amount of the resources needed to support the favorable outcomes
as projected by the strategic planners and executive management. An additional
www.it-ebooks.info

http://www.it-ebooks.info/

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 313
benefit is that, by analyzing the range of possible outcomes against what was actu-
ally achieved, executive management may also gain insights into individual oper-
ational performance capabilities.
Identifying and assessing both risks and opportunities simultaneously might
seem obvious, but it is atypical—at least in the first decade of the twenty-first cen-
tury. One reason is that the two most widely utilized tools and techniques cur-
rently employed during the ERM risk identification and assessment process are a
risk register and a risk heat map. They received their monikers for a reason. The
focus of both is the perceived threats to an organization. There is no consideration
of the value that could be created by taking on risks.
Academics have now spent many years researching the benefits of risk regis-
ters and risk maps.26 While it is undeniable that risk registers and risk maps do
have value, our research and analysis conclude the following:
� If the organizational goal is to respond only to known, identified risks, and
the ERM process is viewed as an extension of audit and compliance, then
risk registers and traditional risk maps can be useful.
� If the organizational goal is to respond to known threats (risks) and opportu-
nities, and also to gain risk intelligence about emerging risks on the horizon,
a traditional risk register and risk map fall short. This is because they fail
to show both the upside of risk and the relationships between events and
volatility.
� If the organizational goal is to grow the business and create value for stake-
holders, a traditional risk map is useless. Again, this is because risk maps
fail to enable executives to see the upside of taking risks and relationships
between risks, and fail to show trends.
� A new tool is required to measure both risks and opportunities—which we
call a “value map.”27
VALUE MAPS
A value map is a graphical illustration of both threats and opportunities. Because
threats and opportunities are two sides of the same coin, a value map also has two
sides, as illustrated. Reference points have been added for valuation and measur-
ing variation from the expected outcome. Threats are plotted on the left side of the
map while opportunities are located on the right side. Rather than plotting a single
point on a risk map, the value map illustrates the range of the magnitude of each
threat and the potential gain of each opportunity. This is an important consider-
ation because operational conditions during the year or years are not stagnant. A
value map can also plot the time duration of risks. Some risky events occur and last
for only a short period—perhaps a matter of days. Others have long tails and last
for many years. Some long-lasting risks can have significant strategic importance.
A value map can also plot correlations between risks. Some volatile situations are
highly associated with others. For example, the threat of a patent lawsuit may have
a strong link to a consequential decrease in revenues. A weather-related catastro-
phe may be highly correlated with the chance of personnel being injured, prop-
erty damage, business interruption expenses, crisis management, and perhaps a
www.it-ebooks.info

http://www.it-ebooks.info/

314 Implementing Enterprise Risk Management
Outcome Values
Negative Outcomes Positive Outcomes
O
u
tc
o
m
e
Li
ke
lih
o
o
d
H
ig
h
P
ro
ba
bi
lit
y
Lo
w
P
ro
ba
bi
lit
y
Exhibit 16.2 Value Map Outcomes
declining stock price. These associations can be shown on the value map so senior
management is fully aware of the total consequences of an event.
Exhibits 16.2 through 16.4 show how a value map differs from traditional heat
maps. Exhibit 16.2 shows that the outcomes from a volatile situation are not neces-
sarily negative. In fact, organizations take on risky projects in order to create value.
The value map provides cells to record both negative and positive outcomes of
business situations. These events may be investments in new products, operating
a factory, or providing a customer service.
Exhibit 16.3 plots two risks in their current state. That is, the ellipses show
the expected outcomes (the center of the ellipses) as well as the spread of possible
outcomes. On the vertical axis, the range of possible probabilities is shown; on
the horizontal axis, the range of possible values is shown. This mapping differs
significantly from traditional heat maps in that for the first time the variation (the
risk) is plotted. The outcome is plotted as the Cartesian product of the event’s value
(on the horizontal x-axis) and its likelihood (on the vertical y-axis). This plotting
of so-called expected outcomes is typical of all traditional heat maps as well. But
where value maps improve on this display is in also showing the range of both
inputs. These ranges are shown as ellipses. The wider (on the x-axis) the ellipse
Outcome Values
O
u
tc
o
m
e
L
ik
el
ih
o
o
d
H
ig
h
P
ro
ba
bi
lit
y
Lo
w
P
ro
ba
bi
lit
y
Negative Outcomes Positive Outcomes
Risk # 2
Current
State
Risk # 1
Current State
Exhibit 16.3 Value Map with Two Risks—Current State
www.it-ebooks.info

http://www.it-ebooks.info/

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 315
Outcome Values
O
u
tc
o
m
e
L
ik
el
ih
o
o
d
H
ig
h
P
ro
ba
bi
lit
y
Lo
w
P
ro
ba
bi
lit
y
Negative Outcomes Positive Outcomes
Risk # 2
Current
State
Risk # 1
Current State
Risk # 1
Previous State
Risk # 2
Previous
State
Exhibit 16.4 Value Map Showing Risk Evolution
is, the greater the range of outcome values. Risk #1 in Exhibit 16.3 shows such an
outcome. The taller (on the y-axis) the ellipse is, the greater the uncertainty of the
outcome. Risk #2 in Exhibit 16.3 shows an example of this uncertain outcome. In
contrast, a narrow and short ellipse displays an outcome that is certain in both
value and probability.
Exhibit 16.4 shows how the risks are evolving over time. There are several
methods to include a risk’s time dimension. In this graph, a two-period scale is
used. For example, risk #1 has not changed in its possible spread of value outcomes.
However, it has become much more likely in the current state. Risk #2 changed in
both dimensions. Its probability range has grown, which indicates there is much
less certainty in what outcome might occur. In addition, although its values have
the same spread, they are all negative in the current state. Risk #2’s situation has
drastically degraded. The value map in Exhibit 16.5 shows risk correlations.
ADDITIONAL TOOLS AND TECHNIQUES
Making risk-adjusted decisions and practicing strategic risk management by utiliz-
ing new tools and techniques to measure the value created or protected by adopt-
ing the ERM process is not limited to value mapping. Risk managers now have
multiple options that, depending on the potential impact to the organization and its
executive management and the level of complexity, could be employed to improve
high
Risk #1 r = .23 Risk #2
med Risk #3
r = .85
low
high med low low med high
lik
el
ih
oo
d
Impact
Negative Outcome Positive Outcome
Risk #4
Exhibit 16.5 Value Map Showing Risk Correlations
www.it-ebooks.info

http://www.it-ebooks.info/

316 Implementing Enterprise Risk Management
the quality of their decisions. These tools can be quite sophisticated, and might
require outside experts to facilitate a specific project, especially strategic issues that
could be a destiny-determining event for the CEO. One example is game theory.
Especially useful in situations involving outside suppliers, competitors, and regu-
lators, game theory can provide insights and recommended courses of action about
the various players’ interests and options. If there are multiple players involved in
complex negotiations, competitive strategy, crisis management, and public policy,
game theory can be utilized to develop specific strategic and tactical options.
CONCLUSION
Risk management is evolving from focusing only on the downside of risks to a
far broader understanding that strategic decisions have the potential of producing
both downside and upside outcomes. By employing the ERM process at the strate-
gic planning level, the organization has a far greater chance of exploiting oppor-
tunities that may arise during a typical multiyear planning cycle. Likewise, the
organization has a greater chance of protecting organizational value when adver-
sity strikes. However, to enable the organization to adopt and adapt the broader
view of enterprise risk management and use the ERM process to practice strategic
risk management, executive management must:
� Reexamine the purpose of ERM within the organization.
� Position and leverage ERM into strategic planning to support business goals.
� Utilize value maps to measure the value created or protected as a conse-
quence of practicing strategic risk management.
One way to start or reignite the ERM process within an organization is to cre-
ate or redraft an ERM charter. The charter should set forth a vision, mission, and
purpose of ERM within the organization as a strategic function. To ensure that all
levels of management are speaking a common language when it comes to risk,
greater clarity will be attained by including a definition of ERM, risk, and strate-
gic management within the charter; then utilizing modern risk registers and value
maps will enable executives to better achieve their strategic goals.
QUESTIONS
1. Do you believe that ERM will continue to evolve, and if so, how?
2. Do believe that risk is a two-sided coin with both upside gains and downside losses?
3. How is value measured in your organization and do you believe the ERM process can
add new value?
4. Besides risk maps and value maps, what other tools and techniques are available to man-
age risk and make risk-informed decisions?
NOTES
1. One of the first integrated risk programs to be labeled ERM was United Grain Growers.
It combined selected hazard risks such as general liability and property with a selected
economic risk (grain processing volume). (See Chapter 7 of this book.)
www.it-ebooks.info

http://www.it-ebooks.info/

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 317
2. Torben Juul Andersen and Peter Winther Schroder, Strategic Risk Management Practice
(New York: Cambridge University Press, 2010).
3. Peter F. Drucker, Goodreads.com.
4. A good discussion of strategic risk management can be reviewed at the Risk and Insur-
ance Management Society (RIMS) website and others. For example, see www.rims.org/
resources/ERM/Pages/StrategicRiskManagement.aspx.
5. John Bugalla, Barry Franklyn, and Corey Gooch, “Climbing the ERM-Enterprise
Risk Management Tree,” Risk Management, May 2010; and National Law Review,
www.natlawreview.com/article/climbing-erm-enterprise-risk-management-tree.
6. The two major frameworks are ISO 31000, accepted in approximately 25 countries, and
COSO, which is mainly utilized in the United States. Other frameworks include those
created by AS/NZ 4360 and the Conference Board of Canada.
7. For a discussion of the benefits and disadvantages of ERM standards, there are many
articles; for example, see www.niso.org/workrooms/ermreview, www.coso.org/docu
ments/coso_erm_executivesummary and www.theirm.org/ISO31000guide.htm.
8. See “United Grain Growers Limited (A),” Harvard Business School Case Study 9-201-
015, June 11, 2001.
9. For the full Terrorism Risk Insurance Act of 2002 Reauthorization Act of 2013, see
http://beta.congress.gov/bill/113th/house-bill/508.
10. To read the full act, Public Law 107-204-July 30, 2002, see www.sec.gov/
about/laws/soa2002 .
11. www.coso.org/-erm.htm, accessed December 8, 2013.
12. www.sec.gov/about/laws/wallstreetreform-cpa , accessed December 2013.
13. www.johnelkington.com/activities/ideas.asp, accessed December 8, 2013.
14. To read the full rule see: www.gov.rules/final/2009/33-9089 .
15. See www.sec.gov/about/laws/wallstreetreform-cpa .
16. Federal Register, January 5, 2012.
17. Ibid.
18. Ibid.
19. Ibid.
20. Ibid.
21. Lawrence Freedman, Strategy: A History (NY: Oxford University Press, 2013).
22. www.merriam-webster.com/dictionary/strategy.
23. John R. Wells, www.exed.hbs.edu/assets/Documents/wellsQAsa11 .
24. Helmuth von Moltke, Field Marshal, German military strategist.
25. Stephan R. Leimberg, Donald J. Riggin, Albert J. Howard, James W. Kallman, and Don-
ald L. Schmidt, The Tools & Techniques of Risk Management & Insurance, 2009 supplement
(Cincinnati, OH: National Underwriter Co.), 8.
26. Examples of the benefits of risk registers and risk maps include www.interrisk.com.au/
wp-content/uploads/2012/09/Risk_register_September2012 ,
www.google.com/url?sa=tTMrct=jTMq=TMesrc=sTMsource=webTMcd=7TMved=0CFUQ
FjAGTMurl=http%3A%2F%2Fwww.qrc.org.au%2Fconference%2F_dbase_upl%2F,Cri
tical_Control_Risk_Registers TMei=zCemUvrvG6Xr2QXEhoFITMusg=AFQjCNFWX
ZqE8_kS9HA9aK9NZQskOEkpOQTMbvm=bv.57752919,d.b2I, and http://blog
.lrenergy.org/the-benefits-of-an-effective-risk-management-process/.
27. John Bugalla and Dr. James Kallman, “How to Map Your Risks,” CFO.com, February
2013.
ABOUT THE CONTRIBUTORS
John Bugalla is Principal of ermINSIGHTS, an advisory and training firm spe-
cializing in enterprise risk management and strategic risk management. His
www.it-ebooks.info

http://www.rims.org/resources/ERM/Pages/StrategicRiskManagement.aspx

http://www.rims.org/resources/ERM/Pages/StrategicRiskManagement.aspx

www.natlawreview.com/article/climbing-erm-enterprise-risk-management-tree

http://www.nalawreview.com/article/climbing-erm-enterprise-risk-management-tree

www.niso.org/workrooms/ermreview

http://www.niso.org/workrooms/ermreview

http://www.coso.org/documents/coso_erm_executivesummary

http://www.coso.org/documents/coso_erm_executivesummary

www.theirm.org/ISO31000guide.htm

http://www.theirm.org/ISO31000guide.htm

http://beta.congress.gov/bill/113th/house-bill/508

http://beta.congress.gov/bill/113th/house-bill/508

http://www.sec.gov/about/laws/soa2002

http://www.sec.gov/about/laws/soa2002

www.coso.org/-erm.htm

http://www.coso.org/-erm.htm

www.sec.gov/about/laws/wallstreetreform-cpa

http://www.sec.gov/about/laws/wallstreetreform-cpa

www.johnelkington.com/activities/ideas.asp

http://www.johnelkington.com/activities/ideas.asp

www.gov.rules/final/2009/33-9089

http://www.gov.rules/final/2009/33-9089

www.sec.gov/about/laws/wallstreetreform-cpa

http://www.sec.gov/about/laws/wallstreetreform-cpa

www.merriam-webster.com/dictionary/strategy

http://www.merriam-webster.com/dictionary/strategy

www.exed.hbs.edu/assets/Documents/wellsQAsa11

http://www.exed.hbs.edu/assets/Documents/wellsQAsa11

http://www.interrisk.com.au/wp-content/uploads/2012/09/Risk_register_September2012

http://www.interrisk.com.au/wp-content/uploads/2012/09/Risk_register_September2012

file:www.google.com/url?sa$=$t&rct$=$j&q$=$&esrc$=$s&source$=$web&cd$=$7&ved$=$0CFUQFjAG&url$=$http%3A%2F%2Fwww.qrc.org.au%2Fconference%2F_dbase_upl%2F, Critical_Control_Risk_Registers &ei$=$zCemUvrvG6Xr2QXEhoFI&usg$=$AFQjCNFWXZqE8_kS9HA9aK9NZQskOEkpOQ&bvm$=$bv.57752919,d.b2I

file:www.google.com/url?sa$=$t&rct$=$j&q$=$&esrc$=$s&source$=$web&cd$=$7&ved$=$0CFUQFjAG&url$=$http%3A%2F%2Fwww.qrc.org.au%2Fconference%2F_dbase_upl%2F, Critical_Control_Risk_Registers &ei$=$zCemUvrvG6Xr2QXEhoFI&usg$=$AFQjCNFWXZqE8_kS9HA9aK9NZQskOEkpOQ&bvm$=$bv.57752919,d.b2I

file:www.google.com/url?sa$=$t&rct$=$j&q$=$&esrc$=$s&source$=$web&cd$=$7&ved$=$0CFUQFjAG&url$=$http%3A%2F%2Fwww.qrc.org.au%2Fconference%2F_dbase_upl%2F, Critical_Control_Risk_Registers &ei$=$zCemUvrvG6Xr2QXEhoFI&usg$=$AFQjCNFWXZqE8_kS9HA9aK9NZQskOEkpOQ&bvm$=$bv.57752919,d.b2I

file:www.google.com/url?sa$=$t&rct$=$j&q$=$&esrc$=$s&source$=$web&cd$=$7&ved$=$0CFUQFjAG&url$=$http%3A%2F%2Fwww.qrc.org.au%2Fconference%2F_dbase_upl%2F, Critical_Control_Risk_Registers &ei$=$zCemUvrvG6Xr2QXEhoFI&usg$=$AFQjCNFWXZqE8_kS9HA9aK9NZQskOEkpOQ&bvm$=$bv.57752919,d.b2I

http://blog.lrenergy.org/the-benefits-of-an-effective-risk-management-process/

http://blog.lrenergy.org/the-benefits-of-an-effective-risk-management-process/

http://www.it-ebooks.info/

318 Implementing Enterprise Risk Management
experience includes 30 years in the risk management profession serving as Manag-
ing Director of Marsh & McLennan, Inc., Willis Group, Plc., and Aon Corporation
before founding ermINSIGHTS. He led the Willis team that negotiated the inte-
grated risk program on behalf of United Grain Growers. He is the author or coau-
thor of numerous articles in diverse publications such as The Corporate Board maga-
zine, CFO magazine, the National Law Review, Credit Union Management magazine,
Risk Management magazine, the Journal of Risk Management in Financial Institutions,
and the Journal of Risk Education.
James Kallman is Assistant Professor at St. Edward’s University, Austin where he
teaches courses in finance, and statistics, and risk management. Dr. Kallman holds
a doctoral degree and master’s of science degree in risk management and insurance
from the University of Wisconsin, a bachelor of science degree from the University
of Minnesota, and an Associate of Risk Management and RIMS Fellow degree. He
is author or coauthor of numerous articles in diverse publications such as The Cor-
porate Board magazine, CFO magazine, Risk Management magazine, Journal of Risk
Management in Financial Institutions, and the Journal of Risk Education.
www.it-ebooks.info

http://www.it-ebooks.info/

PART IV
Specialized Aspects of
Risk Management
www.it-ebooks.info

http://www.it-ebooks.info/

www.it-ebooks.info

http://www.it-ebooks.info/

CHAPTER 17
Developing a Strategic Risk
Plan for the Hope City
Police Service
ANDREW GRAHAM
Adjunct Professor and National Editor, Case Studies, Institute of Public
Administration of Canada, Queen’s University
Hope City is a midsize urbanized community, part of a larger conurbationand therefore part of larger and more complex forces. It is changing interms of demographics and the demands on policing. While there is no
central crisis in this case, there are a number of disturbing trends that represent
risks to the Police Service business model now in play and to the ability of the
Police Service to meet the emerging needs of its community.
The Hope City case is one that forces integrative thinking about risk manage-
ment. It is a holistic set of facts and information designed to lead to the creation of
a strategic risk management plan for the Police Service of Hope City. It is centered
on the qualitative and impressionistic assessment of risk, rather than the quantita-
tive. Therefore, coming to an assessment of the risks in this circumstance and ren-
dering them relative weights will entail some form of collective, consensus-driven
or centrally driven exercise. Further, aside from being a good platform for the effec-
tive assessment of risk and the assignment of weights, it is also useful when linked
to the creation of a strategic or action plan for the Police Service as a whole. The
case lends itself well to group work as well as written analysis.
THE CONTEXT
Like most police services, the Hope City Police Service is a busy place. There is no
end of activity. Chief Karl Paulson has been in the job for 10 months now and feels
that he is getting a handle on the culture and way things are done around Hope
City. He came in from another service. This is his first job as chief, although he has
held both operational and planning roles at the deputy level elsewhere. He finds
working in a growing community of 500,000 like this one interesting. However, at
the end of the day, while he fits in fine, he still does not feel in control of things.
Being a good police leader and being used to rapidly changing time and resource
priorities, he can certainly fit into the “What’s next?” approach to management. He
321
www.it-ebooks.info

http://www.it-ebooks.info/

322 Implementing Enterprise Risk Management
feels he and his organization are adept at responding and adapting to both opera-
tional challenges and changing situations. But is that what it is all about? He is also
seeing some changes happening that he is not sure the Police Service is ready for.
Hope City is indeed a growing and changing place. It is situated not far from
a larger metropolitan area, one that gives a lot of employment to Hope City res-
idents. In fact, about 20 percent of the Hope City working population commutes
the 50 to 75 kilometers every day by way of the multilane highway that passes just
west of town, the commuter rail link into downtown Benville, or the commuter bus
systems. The others work in the large service sector or the many secondary manu-
facturing plants on the west side of the city. There is also a community college with
extensive programming that employs about 500 people. It really is a regional hub,
one that Hope City residents are proud of. Right now, as this community grows
and changes, there is a lot to be optimistic about for the future. On the other hand,
the more the community changes, the more that future changes. Having been a
small city with a homogeneous population and relatively isolated for a long time,
it is now becoming part of the growing conurbation around Benville.
Taken at first blush, Hope City seems to be doing well. There is growth in
residential and commercial construction as the result of an influx of new workers
into the high-tech industries that are growing here. Many of these new workers are
new Canadians, often well educated, some of whom come through family sponsor-
ships. They have settled primarily in four communities in Hope City, often form-
ing fairly close-knit communities. New services are arising to meet their needs,
although schools, churches, and social organizations are at capacity.
Working with the notion that it is always best to get ahead of issues before
they get ahead of you, Chief Paulson decided to pull together his top managers for
a planning session and a bit of a look forward. He is allergic to flip charts, consul-
tants, and detailed reports that do not get used. However, he wanted to not just be
a good day-to-day chief, but to set the future direction of the Police Service as well.
He also had an uneasy feeling that the Police Service needed to get a handle on the
challenges that it was facing, develop a better understanding of the communities it
was serving, and get a bit savvier on the political developments in the area. All this
was also part of his desire to bring along a number of top-notch operational com-
manders and broaden their perspective so they could take on more senior roles.
Paulson clearly wanted to move to becoming a strategic leader.
The Chief decided to get some help on an environmental scan. He was able
to get the help of an old colleague (a consultant) who had retired from a senior
police job (not in Hope City) and was known for her ability to talk to people. He
asked her to do some interviews in preparation for the senior staff retreat. Her
mandate was to gather information and impressions that would help the senior
management team identify its challenges and risks. What follows is the result of
those interviews.
SOME BACKGROUND ON THE HOPE CITY
POLICE SERVICE
The Police Service Board is made up of seven people who meet regularly with
the Chief. Board members are appointed under the provincial legislation as a mix
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING A STRATEGIC RISK PLAN FOR THE HOPE CITY POLICE SERVICE 323
of provincial and municipal appointees. Two Hope City Council members sit on
the board. Membership tends to turn over every four years, with some continu-
ing members serving more than one term. It is this current board that hired Chief
Paulson after an executive search process. The board has a legislated responsibil-
ity to oversee the direction of the Hope City Police Service, set broad policy and
strategy, and monitor the performance of the chief. It has the power to hire and fire
the chief.
The Hope City Police Service deployed 790 police officers and 267 civilian
members and responded to more than 85,000 calls for service during 2010. Its oper-
ating budget for 2010 was $129,600,000. The area covered is 1,382 square kilome-
ters, serving a population of 508,000. The police also have an active volunteer pro-
gram with 250 volunteers, plus 64 auxiliary officers.
Hope City is governed by a municipal council and mayor. The Police Service
is part of the mandated municipal services. Hope City views the Police Service as
a department of the city and budgets for it in that manner. This creates some fric-
tion, as the police chief reports formally to the Police Service Board, not the city.
However, in reality, the chief must also work with the city, most notably the mayor
and the Chief Administrative Officer (CAO). Formal and informal lines cross fre-
quently, and it requires a certain measure of diplomacy, tolerance, and restraint
to make the system work. Generally, it does until the budget crunch, an annual
event. The police budget is a significant portion of Hope City’s budget. For 2010,
policing will take up 22 percent of the total municipal budget. While these costs
are supported generally and there is broad City Council backing of good policing,
the city chafes at how little it actually controls these costs. The budget is set by the
Police Service Board, and the City Council feels there is little incentive to restrain
growth. Further, if there is a disagreement, the board can appeal to the province.
Generally, the police win if there is a showdown. However, the process can be
messy and leaves a lot of bad feelings.
As a first step in the process of reaching a strategic plan, the work of the con-
sultant began with interviews of key players. What follows is the result of those
interviews.
WHAT THE CONSULTANT HEARD
In setting up the interviews, all those canvassed were informed of the purpose by
the consultant: to help the Hope City Police Service develop a strategic plan. What
follows is the report offered to the Chief at the end.
The following groups of people were interviewed:
� Chief and all direct reports
� Association president
� Chair, Police Service Board
� Chief Administrative Officer, Hope City
� Chair, Hope City Chamber of Commerce
� Citizens against Racism Community Group
� President, East End Residents Association
� Hope City Citizens for Responsible Government
www.it-ebooks.info

http://www.it-ebooks.info/

324 Implementing Enterprise Risk Management
Chief Administrative Officer of the City
In practical terms such as the formal budget, the Police Service is a department
of the city. Therefore, the CAO has responsibility for it. This is clouded by the
role of the Police Service Board, a provincially mandated oversight body. This is
part of the municipal reality of the province, and the CAO is no stranger to it.
However, the dynamic can sometimes create amazing tensions. His first concern
about this interview was what this plan would look like in relation to Hope City’s
plans. However, he also realizes that working together is ultimately smarter than
working apart or at odds. So, he weighed in.
The CAO noted that the demographic shift in Hope City has only just begun. In
spite of the lack of some services for recent arrivals, new residents still keep com-
ing. He sees some distinct ethnic communities as growing and developing their
own infrastructures and identities. Housing starts, especially for townhouses and
apartments, are growing. There has also been an increase in the number of youths
in these communities. Birthrates in these ethnic communities are generally higher,
and there is evidence of that already. In some of the schools in those areas, the
majority is now from these recently arrived families. This is creating pressure for
more schools and also adjustments in school programming. The issue of English
as a second language among the older cohorts of these groups is emerging as a
service issue. They hardly use the 311 civic services line.
When asked about city plans that might affect police, the CAO noted that sev-
eral new major subdivisions were in the works or already approved. The Police
Service will have to expand to provide adequate policing to those expansion areas.
He recognizes that this will stress resources to adequately police these areas. He
was not certain if the development charges1 would adequately cover the cost of the
increase needed for public services. He thought that the Police Service needed to
factor this into its capital planning; for example, would a new station be needed?
His concerns extended to question whether the emergency services communica-
tions infrastructure was going to be sufficient.
The high-use stress on highway infrastructure will mean construction on both
of the two main north–south routes over the next two years. There will also be
work on downtown main streets, including a long-term restoration of the main
city square through which most of the downtown traffic now is routed. The CAO
was concerned whether police were up to speed on the implications. This involves
work by both the city and the province.2
The CAO noted that several city councilors want to develop a new strategy
for the downtown core, which is plagued by many of the usual problems of lower
retail presence, some gang activity, and certainly a general degradation. He feels
the Police Service needs to come up with some cost-effective safe street strategies
or face pressure from both the City Council and neighborhood groups along with
retailers. There is certainly a desire to get more condo development downtown.
It was hard to keep the CAO off the issue of money in general. He feels that,
while the Police Service takes up a major portion of the municipal budget, there is
very little he can do about affecting what it will look like. The City Council does not
feel there is adequate control either at the budget time or as the budget is managed
over the year. Of course, the City Council theoretically has ultimate control over
the budget, but it often feels it is being handed a fait accompli and that the Police
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING A STRATEGIC RISK PLAN FOR THE HOPE CITY POLICE SERVICE 325
Service Board and the Chief are not really team players, willing to take their hit
along with the others. Whether it is the Police Service Board or the Chief, he does
not know, but he feels left out of the loop and is often surprised at budget time. He
feels it would be easy to say that the budget is too high and that the police get theirs
while other services suffer, but he is more annoyed at the process than opposed to
good policing. One example he cited was the number of years that overtime bud-
gets had been exceeded, forcing a return for funding to the City Council. He could
see one or two years and for exceptional circumstances, but he sees a pattern of
poor management here—his words. He also noted that this preceded the current
chief, but he has not seen much sign of any change. Also, he believes that the polic-
ing model, as he calls it, will only drive costs up more. Why are the Police Service
Board and the Chief not pushing new ways of doing things?
The CAO also noted that, while there were Provincial Adequacy Standards for
police, Hope City did not appear to be following all of them. For instance, he noted
that the Police Service did not have a business plan. He thought that would go a
long way to making it more credible. He also had a few figures at hand, based on
a comparison of most of the cities in the province:
� While the provincial clearance rate3 on violent crime was about 74 percent,
Hope City’s was only 53 percent.
� While the provincial median for total crime rate was 5,900 per 100,000, in
Hope City it was only 5,300.
He asked how these two facts squared. If you have a lower crime rate, surely
you should expect a better clearance rate.
The CAO was concerned that the increase in cross-jurisdictional police teams
would lead to problems of financial control. He observed that Hope City had been
a big player in the recent regional efforts on biker gangs that the province led. He
noted, however, that there seemed to be a disproportionate number of resources
devoted to this and very little compensation from the regional funding that was
available from the province. He worried that there was not good costing and an
aggressive effort to recoup funds to pay the bills. He also wondered about trac-
ing costs and responsibilities for such horizontal-type work. Although he noted
that he was no expert on these issues, he also pointed out that quite a number of
municipalities across the country are complaining about what they see as the fed-
eral downloading of costs for policing in new crime areas such as terrorism and
cyber crime.
Chair of Police Service Board
The chair of the Police Service Board is appointed by the province for a three-year
term. This is her second term and probably her last one.
At the outset, she expressed strong confidence in Chief Paulson and his man-
agement team. She felt there was a good working relationship, at least at the level
of meetings and sharing information on current issues. She did have some reser-
vations about the capacity of the Police Service to adapt, especially around emerg-
ing crime patterns, policing methods, and the changing population profile. She
reported on what she sees happening in Hope City and the police’s role in it.
www.it-ebooks.info

http://www.it-ebooks.info/

326 Implementing Enterprise Risk Management
Like the CAO, she sees the city changing. While she sees the rise in ethnic groups,
she also sees parts of the city being nothing more than commuter subdivisions. The
ones closest to the arterial roads seem to be deserted or ignored as far as active com-
munity policing goes. She also notes how there is a lack of community resources
and activities to keep youths out of trouble.
She feels that the issues of rising youth crime, vandalism, and drug use are not
getting the attention they deserve. She even disputes a lot of the public opinion
poll results, saying that these numbers are general and not community based.
The chair is worried about succession planning for the Police Service. She sees
an aging service with a lot of senior people ready to retire. More important, as far as
she is concerned, she also sees that a lot of seasoned street-wise officers are leaving.
She sees this as two issues, not one. In fact, she thinks the loss of street experience
is more of a concern than the loss of managers. She also cites the inspector ranks
with long experience in areas such as homicide who will be leaving soon. She notes
that the rank below this, staff sergeant, is a small cohort populated by “a bunch of
guys the same age as the bunch of guys they report to.”
Generally, the Police Service Board feels that Chief Paulson tries to provide
the information that is needed for the board to function well. She feels that he is
overly protective of his operational role, insisting, for instance, on being the only
senior officer to appear before the board. While the board members have plenty of
informal interaction with line command staff, they seldom see them performing in
a formal way. They miss out on seeing what their potential is. She feels that it is a
lost opportunity not to use the board to profile senior staff accomplishments. The
Chief argues (not aggressively) that he would rather his command group spend
their time on operational priorities and he would handle external relations. The
board members’ view is that they are not external.
The budget is a concern of the Police Service Board. The board supports the
need for the best resourcing, but feels that the lack of a long-term perspective, espe-
cially for big-ticket items like computer systems and vehicle replacement, always
puts them in opposition to the City Council. The board is responsible for setting
the budget, but worries about whether the Police Service knows what it will need
in the longer term to be sustainable. No matter what anyone says about who is
responsible for what, the board needs the chief’s advice in these areas. The board is
concerned about the level of good professional advice on the financial and admin-
istrative side. The board feels it is often surprised by budget requirements. Board
members are also aware that this surprise and its negative consequences are some-
thing the City Council and city staff note about the Police Service.
She feels the police are responsive and professional. However, they are not
as active in pursuing preventive measures generally associated with community-
based problem solving as they might be. To date, she sees only token efforts; for
example, even the community liaison officers, it would seem, are appointed only as
a break from their car and street duty, and not with a strong mandate. She has also
become aware of the move in some Canadian and American communities toward
what is called intelligence-led policing, which is the application of computer ana-
lytics to both crime and police contact information to better understand trends, hot
spots, and key priorities. She has seen demonstrations of this and was impressed.
She also pointed out that the growing ethnic communities have little for-
mal or informal contact with the Police Service. In fact, the gulf appears to be
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING A STRATEGIC RISK PLAN FOR THE HOPE CITY POLICE SERVICE 327
widening. She pointed to the number of comments that some ethnic community
leaders make to the press about police insensitivity, even though she has no evi-
dence of it. She wonders what the Police Service actually knows about these com-
munities and what crime potential they pose (e.g., terrorism).
The chair wonders how well some hot spot issues are being addressed. For
instance, she noted that some neighboring communities had developed aggressive
antigraffiti programs to increase community mobilization. She did not think that
the Police Service had to do it on its own but should be open to partnerships.
The chair felt that Chief Paulson was open to the public, but that the Police Ser-
vice as a whole was not as active in such matters as consultation and outreach as it
could be. She worried that the ethnic changes in Hope City had left the Police Ser-
vice behind. Further, she often gets complaints from business groups that they are
not being heard by the police, especially around issues of graffiti, and also youth
in the downtown area who are intimidating seniors who shop there.
Finally, she cited the relatively poor performance of the Hope City Police Ser-
vice in comparison with other services, based on the Provincial Adequacy Stan-
dards program that uses performance data to compare services. She noted dete-
rioration in some response time issues and the number of uncleared major crime
cases. “I’m not one to proclaim we are the best. But it is not exactly satisfying pro-
claiming we are happily stuck in the middle.”
Interviews within the Police Service
A number of trends emerged from these interviews. First and foremost was the
aging workforce challenge. It appears that recruitment is not keeping pace with
departures, or rather, while there was a good intake, the promotion rate was not
keeping up. Further, the Police Service is losing some valuable organizational
know-how without doing anything about it, in terms of either retention or knowl-
edge transfer. The expression “too damned busy” kept cropping up. The other
factor, given that Hope City was in a cluster of urban development with similar
services in nearby cities, was the theft of up-and-coming officers by other services.
It was felt that Hope City had a good reputation for training new officers but then
lost them to other services. There have been a lot of successes, too, in terms of trans-
fers in and promotions. It just seemed to be taking a lot more time staying on top
of things. The transaction costs of this churn were considerable.
Several senior officers expressed concerns about emerging crime issues. Some
were evident already. Some may or may not be on the horizon. For instance, com-
puter pornography and child exploitation seemed to be on the rise. There was some
notion that some is based in Hope City although there was no firm evidence to con-
firm this. Certainly, at this point the Police Service did not devote many resources
in this area. Some officers had become more skilled in this area, but the Service
had yet to move on creating a unit devoted to investigating child pornography. On
the other hand, the concern about the potential for the development of terrorist-
type activity in some of the newly opened ethnically focused private schools was
an issue. Senior staff members were very worried about this in two ways. If they
focused on it too much, they might be accused of profiling and lose any hope of
building the intelligence and confidence links they needed with emerging ethnic
communities. If they did not take some reasonable steps to inform themselves of
www.it-ebooks.info

http://www.it-ebooks.info/

328 Implementing Enterprise Risk Management
the kind of new policing challenges the world was bringing to their doorsteps, they
would be negligent in active policing.
As a summary, the following crime rate trends were recorded:
� Generally following national and regional trends but rates slightly lower
than the provincial patterns
� Overall decrease in the number of crimes, especially assaults on persons
� Decrease in homicide and related crime
� Slight increase of sexual assault, in isolated areas
� Decrease in robberies
� Increase in car thefts but a shift from individual thefts to more systematic
patterns, suggesting a more organized approach
� Increase in credit card fraud
� Sharp increase in complaints or inquiries about identity theft with no real
pattern emerging in the statistics
� Youth-on-youth assaults up, especially in a number of both ethnic and
nonethnic housing projects that have police presence but little interaction
with the community
� Increase in hate/bias crimes and complaints—full range from graffiti to per-
sonal threats
� Sharp increase in illegal ATM bank entries with a strong suspicion of orga-
nized crime involvement
More and more of the budget and management time are going to the informa-
tion technology (IT) infrastructure. While direct entry from patrol vehicles has been
in place for a couple of years now, it is mostly used by officers to download infor-
mation that is already on the system rather than for direct input from their cars and
station points. Summary data on contacts that would establish patterns of interac-
tion, most notably among gang members and between gangs, is not yet regularly
input. Further, the ability of Hope City to go anywhere on a COMSTAT4-type infor-
mation management system is very low. Senior staff receive crime statistics on a
weekly or monthly summary basis. The roll-ups are always questioned because of
the amount of so-called dirty data they contain. This may also be why Hope City
looks so bad in comparison with others. On the other hand, there was resentment
of the amount of time that these administrative matters took. Reports and paper-
work seem to have precedence over face time and street presence. Chief Paulson
and his deputy were certainly aware of emerging technology trends, but to date
there has been little internal interest in trying them out. This contrasts with one
neighboring police service that has gone full tilt on geospatial intelligence analyt-
ics. This positions crime patterns onto maps to link trends to location. It also drives
resource distribution.
Senior service personnel felt that they had real strengths in the area of joint task
force work and collaboration with other police services. They pointed with pride
to their major contribution on the recent biker initiatives, which saw several of the
key biker houses or chapters closed down as well as some important arrests. They
felt that they were not encumbered by a “my turf or else” mentality. They saw this
as a plus for the line officers who got to work with counterparts. They also saw
it as a link to public security issues at the national level, such as the protection of
www.it-ebooks.info

http://www.it-ebooks.info/

DEVELOPING A STRATEGIC RISK PLAN FOR THE HOPE CITY POLICE SERVICE 329
critical infrastructure that the bikers had targeted for copper wire and electricity
diversion for grow operations.
President of the Police Association
The president had a lot of praise for Chief Paulson and his personal openness.
However, she felt that this was personal and that it was not being pushed into
the senior ranks. She also felt that most consultations were a joke, usually more of
an announcement than a real effort to consult, which should involve, in her view,
actually asking for and listening to the other party’s opinion.
In general, working conditions were good for most of the officers. She noted
that one recent survey of sworn officers indicated that 60 percent reported they
had enough time to do their work. She was surprised at that.
The president felt that the Police Service was like all the rest—mostly white
men—at a time when society was changing. However, she acknowledged that
there were no ready answers and that she would speak for all her members, even
the white men. However, the hiring practices should beef up recruitment of minori-
ties, but without sacrificing standards. She has a personal focus on harassment
in the workplace and had personally filed complaints about inappropriate sexual
comments by senior staff.
The Police Service just seems to be keeping up to the minimum of training
requirements. It is always scrambling to meet standards without thinking about
staff development. As such, there is a rush for the mandatory training and very
little else. She feels the Police Service should be working harder on such issues
as diversity awareness, use of technology, and emerging crime issues. Often the
younger staff members are way ahead of the senior people on computer crime, but
their capabilities are never used.
The president doesn’t feel that the Chief does enough to build up the image of
frontline staff. He is too quiet with the media and seems to be responsive but not
proactive on issues. He seems cautious in defending officers when something goes
wrong. He should be more aggressive.
While she has been with the Police Service for 12 years, the president says she
feels like an old-timer. That’s because she is. She is worried about the influx of
younger officers who lack experience. She is also seeing promotions much earlier
in people’s careers than in the past. She supports the members getting ahead, but all
this change can destabilize the Police Service. She sees management as responsible
for making sure that these people succeed.
Chair of Hope City Chamber of Commerce
Members of the Hope City Chamber of Commerce, too, are noticing the changing
face of Hope City and are concerned that the Police Service is not intervening before
things get out of hand. They know from their own surveys that many people are
retiring there to get out of the big city, and young families want a safe community
in which to raise their families. The problem is that some of the harbingers of big
city youth issues are just beginning to surface—things like graffiti and increased
vandalism—and the chamber of commerce feels that the police are not taking an
aggressive enough approach to the problem.
www.it-ebooks.info

http:/