Intuit Wins 2015 ERM Award of Distinction

CHICAGO—In recognition of its success in building a sustainable enterprise risk management (ERM) program to enable its business lines to identify and intelligently manage the most important risks, software company Intuit was presented with the 2015 Enterprise Risk Management Award of Distinction at this year’s RIMS ERM Conference.

“ERM transformed Intuit’s risk management capability requiring our leaders to think cross-organizationally and cross-functionally to understand the most significant risks and drive strategies to address them,” said Janet Nasburg, chief risk officer at Intuit. “ERM was instrumental in not only providing insights about the company but has also driven changes in the way we align our focus. It is a tremendous honor to be recognized by RIMS for our hard work and to share our ERM experiences with the risk management community.”

Honorable mention for this year’s ERM Award of Distinction went to VIA Rail Canada Inc., the country’s national passenger rail company. As a result of its ERM program, the company developed a risk appetite and tolerance framework based on measurable leading key risk indicators.

“Applying this framework to its key strategic risks strengthened VIA’s ability to assess, monitor, and respond timely to changes in its enterprise-wide risk portfolio, thereby adding value to its decision-making process and enhancing risk oversight by its board of directors” said Denis Lavoie, VIA’s director of enterprise risk management.

“RIMS is delighted to recognize the accomplishments of these two organizations and their risk professionals through the RIMS Award of Distinction,” said RIMS Executive Director Mary Roth. “The Intuit and VIA Rail programs demonstrate the tangible value that ERM brings to their respective organizations for both strategy-setting and strategy execution.”

Judging criteria for the ERM Award of Distinction includes the scope of the ERM program and how it engages different levels throughout the organization; the program’s link or connection to the company’s overall mission; and its ability to create additional value for the organization.

10 Tips to Excel in ERM

05a9ef2CHICAGO—For many risk managers looking to implement enterprise risk management programs, one of the biggest challenges is figuring out how to do it properly. Unfortunately, as Steve Zawoyski, ERM leader at PwC, pointed out in a session at this year’s RIMS ERM Conference, you will never find the perfect ERM program—it’s basically as mythical as a unicorn. But there are certain key steps you can take to increase your chances for a successful ERM program. Zawoyski’s top tips are:

  1. Establish ERM program objectives. One of the common stumbling blocks to a successful program is the lack of agreement as to why you are doing this in the first place. Some may be doing it in order to make better decisions around strategy while others have governance concerns in mind or are simply doing it because the board said so. Establishing proper objectives will allow you create the program that works best for your organization.
  2. Manage stakeholders. There are likely multiple parties that have a vested interest in your ERM efforts from the board to business managers to legal and audit to regulators. You will need to consider all of their specific needs and concerns.
  3. Align risk functions. Risk management is part of every division’s responsibility. Getting everyone on the same page will avoid allowing fatigue to set in over yet another risk management effort.
  4. Align risk and management processes. It is important to understand how the business is being managed and connect to those processes in order to be in a position share information up and down the organizational hierarchy.
  5. Define risk. The traditional definition of risk denotes a hazard or a failure of some process. Make sure you organization understands that risk is merely uncertainty that can have both a positive or negative impact on objectives. It is ok to take on risk.
  6. Give credit. Different functions already have risk management capabilities and processes. Rather than reinvent the wheel, harvest the data and expertise already out there and build off that. Don’t build unnecessary steps into the process when those areas are already being addressed.
  7. Remember that risk is a four-letter word. Risk is an overused, ambiguous word with an often negative connotation. Risks are nothing more than variables that can present opportunities for greater success.
  8. Beware of risk categories. Labels like operational, financial, strategic or technology are overemphasized and not how business units think of risk. It is more effective to talk about risk in terms of management of hazards, compliance obligations or other uncertainties.
  9. Do your research. It is vital to develop a thorough understanding of the business and its drivers, from its capabilities to its competitive advantages to its strategic priorities and objectives.
  10. Simplify risk appetite. Risk appetite should be considered on a risk-by-risk basis and should boil down to a simple question of once risk controls and processes are in place, are you satisfied with the results?

ERM implementation can be challenging. But according to Zawoyski, it is all about keeping it simple for the stakeholders, ensuring that value is created, aligning to the business and evolving over time. By approaching your program in this way, all stakeholders will understand their role and how ERM relates to the overall strategy of the organization.

Enterprise Risk Lagging Globally, Study Finds

Despite a widening range of risks faced by organizations globally, less than 35% of companies say they have an enterprise risk management (ERM) plan in place. What’s more, 70% would not describe their oversight as mature, according to the Chartered Global Management Accountant (CGMA) report Global State of Enterprise Risk Oversight 2nd Edition.

The study found that 60% of boards of directors globally are pressuring their companies to increase involvement of senior management. The U.S. is lagging in some areas, with only 46% of its boards assigning risk oversight responsibilities to a committee compared to 70% globally.

One survey conclusion:

Unfortunately, many executives view risk management as mostly focused on compliance and loss prevention with little connection to strategy and value creation. As organizations evaluate their risk management processes, they may benefit from providing an honest assessment about the extent to which risk management in their organization is an important input to the strategic planning process. Given executives understand the importance of taking risks to generate returns, shouldn’t risk management be an important strategic tool by providing risk insights that inform strategy?

Other key findings of the study include:

Navigating the risk landscape infographic

Gauging the Impact of Reputational Risk

The following article is part of a continuing blog series that will explore ideas, concepts, discussions, arguments and applications associated with the field of enterprise and strategic risk management.

In my previous article, I made the point that the public discussion of reputational risk lacks a set of common standards or definitions. This lack of consistency allows organizations to interpret or define the concept of reputational risk in very different ways. For some, reputation is beginning to be viewed as something like the “risk of risks” in the same way people are starting to discuss the concept of the “internet of things.” I questioned whether reputation or brand is actually a risk or a residual event stemming from other extenuating risk domains or actions.

Upon further reflection and discussions with academics and risk professionals who are thinking carefully about this issue, I would go further now to suggest that reputation or brand risk involves perceived or real human behaviors that are, to some extent, measured against societal, economic or moral standards. The adherence or deviation from established standards generates the basis for the risk, and the variability from the standard influences the duration of the outcome.

The bigger question is: What impact does reputational risk have on economic performance when possibly mitigated by the existence of a robust enterprise or strategic risk management methodology? Is the data available to see the “correlates” between a reputational risk event that trigger or influence operational key process indicators like EBIT, ROA, ROE and share price (public or private)?

What we do know from the Aon 2015 Global Risk Management Survey is that business leaders are concerned about reputational risk in general and the possible linkages with other hazard and operational risks within their organizations.

The respondents to the survey said that they worried that a reputational risk event would significantly impact financial performance.

reprisk1If reputation/brand risk was identified as a precipitating event, the respondents identified regulatory change, increasing competition, talent retention, cash flow/liquidity and share price volatility as “follow on” risk consequences. In effect, reputation/brand risk might constitute a “gateway” risk, where other related “follow on” risk consequences are triggered and serve to increase the overall volatility/impact of the reputation event.

Another way to view the data is to see what events could trigger a reputation event.

reprisk2In this case, the survey respondents identified nine non-correlated risks that could precipitate a reputation/brand event. Here social media plays an important role. The speed by which information, accurate or not, is transmitted, consumed and iterated across the nine risk categories may have a material impact on the basis and duration of the reputation/brand event. There is also an error component associated with social media. How many times have we witnessed an initial media report of a brand damaging event that turns out to be prematurely reported and the facts distorted, only to be corrected in a later reporting cycle?

Next up: Fat vs. thin tail distributions.