STrategic Risk Management

Licensed to: Omar Chaudhry S/N:6f090f9fa34ac6b79a0b64e25217bee4



Strategic Risk Management

A Primer for Directors and Management Teams
Mark L. Frigo, PhD, CPA, CMA

Richard J. Anderson, MBA, CPA
March 2010
Edition 1.0


Do not copy or redistribute in any way without express written consent of the authors
March 2010
Edition 1.0


Contents
Acknowledgements
Preface
Overview and Use of the Primer 1
Chapter 1 - Linking Risk Management with Strategy and Strategy Execution 3

How Strategic Risk Management can be Linked to Strategic Planning and Strategy Execution
Chapter 2 - What is Strategic Risk Management? 21

What Strategic Risk Management is and Why it is Important Now
Chapter 3 - The Return Driven Strategy Framework 55

Understanding the Strategy, the First Step in Strategic Risk Management
Chapter 4 - Return Driven Strategy and Strategic Risk Management 69

Strategic Risk Management Framework: A Tool for Understanding Strategic Risks
Chapter 5 – Conducting a Strategic Risk Assessment 115

How to Plan and Conduct a Strategic Risk Assessment
Chapter 6 - Strategic Governance, Risk and Compliance (GRC) 129

A Strategic Framework for Governance, Risk, and Compliance
Chapter 7 – Strategic Risk Management Case Studies 145

Case Examples of Strategic Risk Management
Chapter 8 - Tools and Diagnostics for Strategic Risk Management 155

Strategic Risk Management Alignment Guide
Return Driven Strategy and Strategic Risk Management Diagnostic Questions
Strategic Risk Management Maturity Diagnostics
Appendices and Supporting Readings 172

Appendix A: Bibliography
Appendix B: NACD: The Key Agreed Principles
Appendix C: Governor Randall S. Kroszner Speech
Appendix D: S&P Announcement
Appendix E: Moody’s Investors Service
Appendix F: COSO: “Effective Enterprise Risk Oversight”
Appendix G: Glossary of Terms
About the Authors 201

Mark L. Frigo
Richard J. Anderson


Acknowledgements
This book is based on an evolving approach for risk management, an approach that is
focused on the strategic risk faced by organizations. It is based on the Return Driven
Strategy framework, which has been used by management teams and boards to guide
strategic decisions toward growth, profitability and superior wealth creation. The
Return Driven Strategy framework was developed over a ten year period through
collaborative research and applications and is described in the book Driven: Business
Strategy, Human Actions and the Creation of Wealth (www.returndriven.com) which I
wrote with Joel Litman.
As boards and management teams used the Return Driven Strategy framework for
strategic planning, they started to hone in on the key strategic risks in the business plans
of the organizations and found insight into how to better manage the risk. This was the
beginning of the applications of the Return Driven Strategy framework for strategic risk
assessment and strategic risk management. Another force supporting this movement
was the recognition by thought leaders, directors and executives in risk management that
the Return Driven Strategy framework provided a robust approach for strategic risk
management, which was an “unmet need” in the business world. Over the last three
years, we have made numerous presentations and keynotes at executive and academic
conferences around the world to gain insight and share insight.
I would especially like to acknowledge Richard J. Anderson, Clinical Professor in the

Center for Strategy, Execution, and Valuation at DePaul University and retired partner
from PricewaterhouseCoopers for his insight and collaborative work with me in the
Strategic Risk Management Lab at DePaul and the co-author of this primer.
I would also like to acknowledge Joel Litman, the co-creator of the Return Driven
Strategy framework and co-founder of the Center for Strategy, Execution, and Valuation
in the Kellstadt Graduate School of Business at DePaul University. To Mark S. Beasley,
director of the ERM Initiative at North Carolina State University and Randy Nornes,
Executive Vice President at Aon Risk Services for their valuable contributions. To
Robert Kaplan, Harvard Business School, for his thought leadership in strategy
execution and his insight through our discussion on risk management. To Venkat
Ramaswamy, University of Michigan Ross School of Business, for his collaborative
work with me on linking Return Driven Strategy, Strategic Risk Management and Value
Co-Creation. I would also like to thank research fellow Michael L. Frigo and Graduate
Research Assistants Michael Gardon, Elvira Galimova, Chen Luo and Andrew Jameson

for their research and assistance in developing the primer.
I would like to acknowledge my colleague Ray Whittington, dean of the College of

Commerce at DePaul University for his initial observation and encouragement to apply
the Return Driven Strategy framework to Enterprise Risk Management (ERM) and to
Belverd E. Needles for his continued collaborative work in this area.
We sincerely thank the business leaders, directors, and students who have participated in
the seminars and courses conducted around the world over the last several years.
Mark L. Frigo, PHD, CPA, CMA

Chicago, Illinois
March 2010

Preface
This book focuses on the latest developments in applying the Return Driven Strategy to
the area of strategic risk management. During the last two years, we have seen
dramatic events unfold and huge amounts of wealth destroyed. In 2008, we launched
the Strategic Risk Management Lab in the Center for Strategy, Execution, and Valuation
at DePaul University. The Strategic Risk Management Lab is an engagement platform
and forum for thought leaders and practitioners in Enterprise Risk Management (ERM)
and Strategic Risk Management. The Strategic Risk Management Lab provides
collaborative research in the Strategic Risk Management and ERM areas and sharing of
leading practices in Strategic Risk Management based on the extensive research on high
performance companies in The Center for Strategy, Execution, and Valuation and the
Return Driven Strategy Initiative.
Articles from Strategic Finance in this Primer as reprinted with permission © copyright
2009, 2008, 2007 by the Institute of Management Accountants (IMA®), Montvale, N.J.,
www.imanet.org.
The June 2009 article from Internal Auditor in this Primer was reprinted with permission from
the Internal Auditor, published by The Institute of Internal Auditors, Inc., www.theiia.org


Overview and Use of the

Primer on Strategic Risk Management
The Primer on Strategic Risk Management is designed to be an easy to use source of
relevant information on strategic risk management for directors and senior executives.
The materials and information in the Primer are presented in a series of articles and
short narratives, grouped into chapters by topic, that lend themselves to quick readings
in short time periods. While the Primer is structured in chapters that begin with the
definition of strategic risk management and then progresses through the various
frameworks and tools and diagnostics, the chapters and articles can also be read
individually on a stand-alone basis. This structure allows the reader to use the Primer
during short time periods, such as plane trips, without having to read through the entire
text of the book in chapter sequence. In this manner, the Primer can become an easily
carried and used source of “as needed” information on the increasing important topic of
strategic risk management.
Accordingly, we encourage readers to first go through and familiarize themselves with

the Table of Contents. Some readers new to topic of strategic risk will find it most
useful to work through the complete Primer as structured from front to back. Other
readers, who may have had prior exposure to the topic, may find it beneficial to identify
those sections of the Primer that may be of highest immediate interest to them and start
directly with those articles or chapters. The structure and design of the Primer will allow
either approach.
• How can risk management be linked to strategy and strategy execution?

(Explained in Chapter One)
• What is Strategic Risk Management and why is it needed?
(Chapter Two)
• How can we better understand our strategy and its underlying risks?
(Chapter Three)
• Is there a systematic approach and framework that can be used to identify
strategic risks?
(Chapter Four)
• Where is the best place to start?
(Chapter Five)
• How can Governance, Risk and Compliance functions and capabilities be better
aligned for better effectiveness and efficiency?
(Chapter Six)

• What are some examples of Strategic Risk Management?

(Chapter Seven)
• What tools and diagnostics can be useful for strategic risk management?
(Chapter Eight)

Linking Risk Management with Strategy and

Strategy Execution
This chapter presents an approach for linking risk management with strategic planning
and strategy execution. It begins with the premise that first we must understand the
strategy of the organization, then understand the risk in the strategy and then indentify
measures and ways to monitor and manage the risk.
• Strategy, Risk and Performance Measures 4

• Integrating Risk Management in Strategic Planning 8
• Developing a “Bridge” between Strategy and Risk Management 17

Chapter 1
Strategy, Risk and Performance Measures

In our work with boards and management teams, we recognized the importance of using
the right sequence in understanding and managing risk. As the exhibit below shows, we
must first understand and analyze the strategy of the organization, before we can truly
understand the risks in the strategy and before we can develop measures for monitoring
and managing risk.
The Linkage Between Strategy and Strategic Risk
Strategy Strategic Risk

Risk Metrics
Understand the Understand the Risks in How is Risk Measured,

Strategy the Strategy Monitored & Managed?
“The sequence is important, you can’t understand an organization’s strategic

risks without a deep understanding of its strategies.”
Frigo and Anderson, Strategic Risk Management: A Primer for Directors and Mananagement Teams (2009)
One of the challenges facing management teams is finding a way to integrate risk
management it the strategy development and strategy execution processes of the
organization. At the same time, three are many approaches for strategy development
and strategy execution.
The six-stage management system developed by Kaplan and Norton provides a

complete and systematic process and is being used by many organizations.1 This six-
stage Execution Premium Process developed Kaplan and Norton can provide a platform
for a systematic approach to strategic risk management. Organizations that are already
using this process are “a step ahead” and can incorporate strategic risk management
1
Kaplan, Robert S. and David P. Norton, The Execution Premium: Linking Strategy to Operations for
Competitive Advantage (Harvard Business School Press) 2008 and 1 Kaplan, Robert S. and David P.
Norton “Mastering the Management System” Harvard Business Review, January 2008

Linking Risk Management with Strategy and Strategy Execution
elements is each stage. Companies considering this process have yet another reason to
adapt it for strategic risk management. At the Strategic Risk Management Lab at
DePaul University we are working with management teams to help them embed and
incorporate Strategic Risk Management and ERM into each stage of the management
system.
The Kaplan-Norton Execution Model

The six-stage management system is shown below, involving the following stages:
Stage 1, Develop the Strategy
This stage involves developing the mission, vision and values of the organization,
completing strategic analysis and formulating the strategy.
Stage 2, Translate the Strategy,
In stage 2, the strategy is translated into operational terms by developing Strategy Maps,
identifying Strategic Themes, identifying performance measures and targets, and
developing action plans and funding plans, including strategic expenditures.
Stage 3. Align the Organization,
Stage 3 focuses on alignment of the organization for strategy execution.
Stage 4. Plan Operations,
Stage 4 involves developing operation plans, including the budget.
Stage 5, Monitor and Learn,
Stage 5 focuses on periodic operational and strategic reviews to monitor performance.
Stage 6, Test and Adapt,
Stage 6 focuses on test and adapting the strategy which completes the closed-loop
system.
The Kaplan-Norton Management System
2 TRANSLATE THE STRATEGY DEVELOP THE STRATEGY 1

•Strategy Map / Themes •Mission, Value, Vision
•Measures / Targets •Strategic Analysis
•Initiative Portfolios •Strategy Formulation
•Funding / Stratex
Performance TEST & ADAPT

Strategic Plan
ALIGN THE ORGANIZATION measures
•Strategy map •Profitability Analysis
3
•Business Units
•Support Units •Balanced Scorecard •Strategy Correlations 6
•Employees •Stratex •Emerging Strategies
•Board of Directors
Results
PLAN OPERATIONS MONITOR & LEARN

Operating Plan
•Key process improvement 5
4 •Sales planning
•Resource capacity plan
•Sales Forecast •Strategy Reviews
•Operational Reviews
•Resource Requirements
•Budgeting •Dashboards
•Budgets Performance
measures
Results
EXECUTION
Source: Kaplan and Norton, The Execution Premium Process
(Harvard Business School Press, 2008).
Initiative
© Copyright Dr. Mark L. Frigo 2009 – Do not copy or redistribute without express written consent of Dr. Mark L. Frigo

Chapter 1
Integrating Risk Management in the Management System
The Exhibit below shows how Strategic Risk Management can be embedded in the
management system.
Embedding Strategic Risk Management in Strategy Execution

USE
DEFINE AND RETURN DRIVEN
APPROVE THE
RISK APPETITE 1 STRATEGY
FRAMEW ORK
BASED ON RDS
AND SRM
TRANSLATE THE STRATEGY DEVELOP THE STRATEGY
•Strategy Map / Themes
GUIDING
PRINCIPLES 2 •Measures / Targets
•Mission, Value, Vision
•Strategic Analysis
USE THE
STRATEGIC
RISK
•Risk Appetite •Strategy Formulation FRAMEW ORK
USE THE
STRATEGIC •Initiative Portfolios •Strategic Risk Assessment
GRC •Funding / Stratex
FRAMEWORK
ESTABLISH
AND
Performance TEST & ADAPT PROCESS TO
ENTERPRISE Strategic Plan
RISK POLICY ALIGN THE ORGANIZATION measures
IDENTIFY
•Business Units •Strategy map •Profitability Analysis EMERGING

RISKS
•Support Units •Balanced Scorecard •Strategy Correlations
•Risk & Control Units (GRC) •StratEx •Emerging Strategies
3 •Employees
•Board of Directors
•Emerging Risks
6
INCLUDE
IDENTIFY RISK Results
RISK MEASURES
ROOT
CAUSES
PLAN OPERATIONS MONITOR & LEARN
Operating Plan
•Key process improvement •Strategy Reviews 5
4 •Sales planning
•Resource capacity plan
•Sales Forecast •Operational Reviews
•Resource Requirements •Risk Management
•Budgeting •Dashboards Reviews
•Budgets Performance
INCLUDE measures
RISK
MEASURES PERFORM RISK
Results MONITORING
AND
REPORTING
EXECUTION
Source: Kaplan and Norton, The Execution Premium Process
(Harvard Business School Press, 2008).
Initiative
© Copyright Dr. Mark L. Frigo 2009 – Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
In Stage 1, Develop the Strategy, management teams conduct strategic risk

assessments and formulate strategic risk management plans as part of their strategy
using the Return Driven Strategy and Strategic Risk Management frameworks. The
logical connection between the Return Driven Strategy framework and its related
Strategic Risk Management framework provide a way to develop and refine strategy and
assess the strategic risk in the business strategy.
In Stage 2, Translate the Strategy, they identify strategic risk management objectives
and measures which can be included in Balanced Scorecards and also use Strategy Maps
to identify the cause-and-effect linkages and root causes of key strategic risks. They
also define the Risk Appetite based on the strategy and strategic risk assessment. The
development of Risk Appetite is not an easy task. We recommend developing a set of
risk tolerance and risk appetite guiding principles as part of Stage 1 Develop the
Strategy where the Enterprise Risk Policy and Appetite (see Chapter 5) is developed.

In Stage 3. Align the Organization, management teams align the governance, risk and
control units based on the Strategic GRC Framework. This would include developing
the Enterprise Risk Policy and Appetite (see Chapter 5) which sets the stage of aligning
the control units.
In Stage 4. Plan Operations, they develop strategic and business unit Key Risk
Indicators (KRI’s) and develop business unit risk dashboards and reporting using the
KRI’s.
In Stage 5, Monitor and Learn, management teams hold strategic risk management
reviews where the Strategic Risk Management framework is used to provide a common
language and perspective on risk and they monitor and report on KRI’s.
And in Stage 6, Test and Adapt, management teams conduct strategic risk analysis and
monitor emerging risks.

Chapter 1
INTEGRATING RISK INTO STRATEGIC PLANNING

Successful deployments of ERM in strategic planning seek to maximize value when
setting strategic goals by finding an optimal balance between performance goals and
targets and related risks. As management evaluates various strategic alternatives
designed to reach performance goals, it includes related risks across each alternative in
that evaluation process to determine whether the potential returns are commensurate
with the associated risks that each alternative brings. It also considers how one strategic
initiative might introduce risks that are counter-productive to goals associated with
another strategy. At that point, management is in a better position to evaluate various
strategic alternatives to ensure that the combined risks that the entity might take on are
within the stakeholders’ appetite for risk and that they collectively support the strategic
direction desired.
Considering risk during strategy planning also creates an ability to seize risk
opportunities. Again, the goal of ERM is to preserve and enhance value. In some
situations, ERM may reveal areas where the enterprise is being too risk averse or is
ineffectively responding to similar risks that exist across multiple silos of the enterprise.
In other situations, ERM may identify risk opportunities that may create potential
increased returns to the enterprise. If risks are ignored in strategy, risk opportunities may
be overlooked.
A consumer products company’s experience illustrates the advantage of connecting

strategy and risks. As part of its sales strategy, the company sought to increase revenues
by strategically aligning with a key retail customer through electronic reordering
systems. As part of this alliance, the consumer products company entered into contracts
requiring the automatic shipment of products to the retail customer’s distribution
warehouses within two-hour increments upon receipt of the customer’s electronic
reorder purchase request.
As the consumer products company began to launch its ERM processes, senior
management quickly discovered a huge potential threat to this strategic arrangement
with the retail customer. The company’s information technology (IT) disaster recovery
processes were set to be within acceptable tolerance limits established by the IT group.
In an effort to balance costs with perceived IT needs, the IT group had put recovery
procedures in place to fully restore IT-based sales systems within a two-day (not two-
hour) period. When core sales executives learned about this recovery time frame, they
quickly partnered with IT to reduce recovery thresholds to shorter windows of time. Had
they not linked IT’s disaster recovery response risks with the sales strategies to fulfill
customer orders within two-hour increments, a looming IT disaster could have

significantly affected their ability to achieve sales goals, thus compromising the
enterprise’s ability to achieve strategic goals. Needless to say, this discovery also
prevented other risks that might have been triggered by a disaster, including legal risks
tied to contract violations, cash flow losses due to idle sales functions, and reputation
risks that could have been realized given the large size and visibility of both the
consumer products company and retailer customer.
Evaluating Strategic Business Risk Using the Return Driven Strategy

Framework
The first step in strategic risk management is finding a way to systematically evaluate a
company’s strategic business risk. That has to begin with first making sure management
and the board understand the entity’s key strategies that are designed to preserve and
create stakeholder value. For a for-profit entity, key strategies are generally linked to
increasing shareholder value through initiatives designed to boost revenues, to maintain
or reduce costs, or to pursue growth through mergers and acquisitions. A thorough
understanding of specific drivers of shareholder value that management and board are
pursuing is necessary before risks surrounding those drivers can be accurately and
completely considered. And, that understanding of specific strategy drivers has to
permeate leadership across the organization if risks are to be managed effectively.
The next step to strategic risk management surrounds defining the entity’s use of the
term “risk.” Michael Porter’s definition in his landmark book, Competitive Advantage is
useful:
“Risk is a function of how poorly a strategy will perform if the ‘wrong’ scenario
occurs.”2
Thus, strategic risk management begins by identifying and evaluating how a wide range
of possible events and scenarios will impact a business’s strategy execution, including
the ultimate impact on the valuation of the company.
Before management can effectively manage risks that might be identified by various
scenario analyses, they need to define an overriding risk management goal. Risk
appetites can vary across industries and entities. Without an understanding of
stakeholder appetites for risks, neither management nor the board know what strategic
risks are to be managed and what risks are to be accepted.
2
Porter, Michael E. Competitive Advantage, New York: Free Press, 1985 p. 476.

Chapter 1
The Return Driven Strategy® framework is an effective tool for integrating strategic
goals and risk management goals. The framework is the result of more than a decade of
research and application, involving the study of thousands of companies and the
identification of strategic activities that separate the best performers from the worst. The
Return Driven Strategy framework describes the hierarchy of strategic activities of best
performing companies in terms of financial impact and shareholder value.
The Return Driven Strategy is comprised of eleven core tenets and three foundations
that together form a hierarchy of interrelated activities that companies must perform to
deliver superior financial performance. These tenets and foundations summarize the
common activities of high performance companies and identify flawed strategies of
marginal performers. Here is a list of the eleven tenets and three foundations of Return
Driven Strategy.3
11 Tenets of the Return Driven Framework

The Commitment Tenet:
1. Ethically Maximize Wealth
Management must understand, define, and then align all activities toward the
shareholder wealth creation objectives and ensure that the business operates within the
ethical parameters set by its communities.
3
Frigo, Mark L. and Joel Litman, Driven: Business Strategy, Human Actions and the Creation of Wealth,
Strategy and Execution (2008)
10

Two Goal Tenets:

2. Fulfill Otherwise Unmet Customer Needs
3. Target and Dominate Appropriate Customer Groups
To avoid commoditization, management must focus on fulfilling otherwise unmet
customer needs. The path to business success is through the customer – sufficiently
large enough groups of customers. This means targeting economically profitable
customer groups that have sufficient size and growth opportunities while fulfilling
otherwise unmet need which are not commoditized.
Three Competency Tenets:

4. Deliver Offerings
5. Innovate Offerings
6. Brand Offerings
Through synchronization of these three competency tenets, offerings are created that
target customer needs. Management needs to consider the executability of plans at the
outset, with the three higher Tenets as primary goals. Continuous innovation of the
entirety of the offerings to develop offerings designed to enhance needs currently
unfulfilled. Branding of the offerings to bridge the customer’s explicitly understood
need to the offering that uniquely fulfills it.
Five Supporting Tenets:

7. Partner Deliberately
8. Map and Redesign Processes
9. Engage Employees and Others
10. Balance Focus and Options
11. Communicate Holistically
The supporting activities are done to support the achievement of the higher level tenets:
the competency tenet, goal tenet and commitment tenet.
There are three foundations that are critical to the Return Driven Strategy
1. Genuine Assets
The Eleven Tenets are the “verbs” of strategy. Genuine Assets are the “nouns.” Genuine
Assets are the building blocks of sustainable competitive advantage. Activities are
copied by competitors, leading to price competition and reduced cash flow returns. This
can be defended only by leveraging unique assets to create unique offerings that cannot
be copied (patents, brands, scale and scope, etc.).
2. Vigilance to Forces of Change
The ability and agility to capitalize on opportunities and avoid threats is foundational.
Management must take advantage of opportunities and avoid threats in each of the
Tenets arising from 1) government, legal, and other regulatory change, 2) demographic
11

Chapter 1
and cultural shifts, 3) scientific and technological breakthroughs.

3. Disciplined Performance Measurement and Valuation
A discipline that links strategy to ultimate financial results is necessary to for measuring
the achievement of strategic goals. Performance measures must be in place to support
the achievement of the strategy and its resulting value creation.
This framework describes how an enterprise’s strategy can be aligned with the ultimate
objective to “Ethically Maximize Shareholder Wealth.” This is a valid goal for a
business entity: to create shareholder wealth, to strive to maximize it, and to do so while
adhering to the ethical parameters of stakeholders and communities.4
That ultimate strategic goal can work simultaneously as the entity’s risk management
goal as well. That is, management must understand, define, and then align risk
management activities toward ethical shareholder wealth creation objectives. In doing
so, risk management activities must be justified in terms of shareholder wealth creation.
If wealth preservation or creation isn’t linked to risk management activities, then
particular risk management activities should be challenged.
We believe that, to be effective, a framework for strategic risk management needs to
include these three characteristics:
1. Alignment with a Commitment to Ethically Create Shareholder Wealth.
Risk management must have a strong alignment with protecting and creating
shareholder value. Rule No. 1 of strategic risk management should read: “First, don’t
destroy shareholder value.” But to add value, strategic risk management should be
firmly aligned with the creation of shareholder wealth and have a focus on risk
opportunities (e.g., the “upside” of risk). Of course, shareholder wealth should be
created within the ethical parameters of the constituents and the communities in which
the company operates. Any framework for strategic risk management should have the
ability to make the connection among the strategy of the organization, its execution and
related risk management, and the valuation of the entity.5
2. Holistic. Strategic risk management should be holistic and broad enough to
encompass the spectrum of entity-wide activities needed to achieve an organization’s
strategy. A framework for strategic risk management needs to be integrated so that
various facets of strategic business risk can be linked with the overall goals of the
business. This is where an ERM approach to risk management helps provide value
through its emphasis on viewing risk-related scenarios using a top-down, holistic
4
For more, see Frigo, Mark L. and Joel Litman, Driven: Business Strategy, Human Actions and the
Creation of Wealth, Strategy and Execution (2008); “What Is Return Driven Strategy?” by Mark Frigo
and Joel Litman in the February 2002 issue of Strategic Finance, and “Performance Measures that Drive
the First Tenet of Business Strategy” by Mark Frigo in the September 2003 issue of Strategic Finance.
5
For more about this, see “When Strategy and Valuation Meet: Five Lessons from Return Driven
Strategy” by Joel Litman and Mark Frigo in the August 2004 issue of Strategic Finance.
12

portfolio approach to determining how various silo risk events might interact to limit or
destroy value. A holistic approach to strategic risk management helps connect various
business unit goals and objectives and related risks to the overall goal of maximizing
shareholder wealth. Without a holistic view, strategic activities within one aspect of the
enterprise may be creating strategic risks for another part of the business.
For example, Harley Davidson’s recent letter to shareholders describes one of its
strategic goals to expand into international markets, particularly China and Japan. The
letter also describes another strategic goal to enhance its “H.O.G.” brand mystique and
motorcycling lifestyle. In this case, the strategic desire to expand into Asian cultures, if
left unmanaged, has the potential to create risks associated with its strategic desire to
expand the Harley mystique if changes are made to Harley products to satisfy the
motorcycling preferences of riders in different cultures. To effectively manage strategic
risks, management needs to monitor how each strategic initiative might be throwing off
counterproductive risks impeding other strategic objectives.6
3. Capable of Identifying and Evaluating Events and Forces of Change.
Strategic risk management has to be an ongoing, continual process. It can’t be an
activity that happens only occasionally. Risks are constantly evolving, which means an
organization’s strategies may need to evolve as well, so effective strategic business risk
management must be capable of regularly identifying and evaluating how events,
scenarios, and forces of change will impact the business strategy and its performance.
Management’s dashboard of key performance metrics should also include key risk
indicators that provide leading information about changing risk conditions so that
management is better prepared to adjust strategies ahead of the risk curve in a proactive
manner, rather than be blind-sided by shifting risk conditions that are realized too late to
adjust deployments of key strategies, such as the situation at Ericsson. Robust
management scorecard reporting systems that include key strategy and risk management
metrics can help strengthen management’s effectiveness at staying on top of key
changes that may impact the entity’s strategic goals.
Using a Framework to Build a Strategic Risk Management Mindset

Executive teams have used the Return Driven Strategy as a holistic framework to set,
evaluate, refine, and execute strategy. It also has been integrated into strategic planning
processes and used as a way to evaluate the impact of events and scenarios, including
merger-and-acquisition scenarios, on a strategy’s performance. As directors and
6
For more discussion of Harley-Davidson and strategic risk management, see Frigo, Mark L. and Venkat
Ramaswamy, Co-Creating Strategic Risk-Return Management” Strategic Finance (2009);; and Frigo,
Mark L. and Venkat Ramaswamy, “Co-Creating Risk-Return” Working Paper (2009).Chapter 14 “Co-
Creating Risk Management, Governance, and Transformational Change” in Co-Creating the Future:
Engaging Customers, Employees and All Stakeholders to Co-Create Mutual Value by Venkat
Ramaswamy and Francis Gouillart (forthcoming);
13

Chapter 1
management have used the framework to evaluate the business strategy, they have been
able to hone in on key risks that could destroy shareholder value while considering the
upside of risk in terms of the opportunities, thereby using it as a strategic risk
management framework.
Strategic Risk Management as a Core Competency
14

Strategic Risk Management Action Plan and Strategy Execution
The Strategic Risk Management Action Plan should consider how risk
assessment and risk management can be integrated in strategy execution
processes. This would include integrating risk management into strategic
planning and performance measurement systems. The Kaplan-Norton
Strategy Execution Model (see Kaplan and Norton, Achieving the Execution
Premium, Harvard Business Publishing 2008), which describes six stages for
strategy execution, provides a useful framework for visualizing where risk
management can be done.
Stage 1 Develop the Strategy: This stage includes developing mission,

values and vision; strategic analysis; and strategy formulation.
At this stage, a Strategic Risk Assessment could be included and use the
Return Driven Strategy framework to articulate and clarify the strategy
and the Strategic Risk Management framework to identify strategic risks
of the organization.
Stage 2 Translate the Strategy: This stage includes developing Strategy

Maps, Strategic Themes, Objectives, Measures, Targets, Initiatives and the
Strategic Plan in the form of Strategy Maps, Balanced Scorecards and
Strategic Expenditures.
At this stage, the Strategic Risk Management framework would be used
in developing risk-based objectives and performance measures for
Balanced Scorecards and Strategy Maps. It would also be useful for
analyzing risks related to strategic expenditures. At this stage, the
development of a Risk Scorecard could also be considered.
Stage 3 Align the Organization: This stage includes aligning business

units, support units, employees and boards of directors.
At this stage, the Strategic Risk Management Alignment Guide and
Strategic Framework for GRC would be useful for aligning risk and
control units toward more effective and efficient risk management and
governance while linking this alignment into the strategy of the
organization.
Stage 4 Plan Operations: This stage includes developing the operating plan,
key process improvements, sales planning, resource capacity planning and
budgeting.
In this stage, the Strategic Risk Management Action Plan can be reflected
in the operating plan and dashboards, including risk dashboards.
15

Chapter 1
Stage 5 Monitor and Learn: This stage includes strategy reviews and
operational reviews.
In this stage, Strategic Risk Reviews would be part of the on-going
Strategic Risk Assessment which reinforces the necessary continual,
closed-loop approach for effective Strategy Risk Assessment and
Strategy Execution.
Stage 6 Test and Adapt: This stage includes profitability analysis and
emerging strategies.
In this stage emerging risks can be considered as part of the on-going
Strategic Risk Assessment.
For more discussion on integrating risk management in the strategy

execution model and a discussion of Risk Scorecards, see Kaplan, “Risk
Management and Strategy Execution Systems” Balanced Scorecard Report,
November-December 2009.
16

DEVELOPING A “BRIDGE” BETWEEN STRATEGY AND RISK

MANAGEMENT: WHEN STRATEGY AND RISK MANAGEMENT MEET
One of major challenges for organizations is to develop clear linkages and
connection between the strategy of the organization and its risk and risk
management. Strategy is often developed in one process and risk assessment and
risk management in another.
The Strategy Map has been a useful framework for building a “bridge” between
strategy and risk management. Since Strategy Maps are designed for strategy
execution and to provide alignment between strategic initiatives of an organization,
it can also be used to incorporate risk management.
The Strategy Map below as developed by a management team as part of its strategic
planning process, where the Return Driven Strategy framework as used to focus and
align the strategy to the overall goal in the Strategy Map, “Create and Protect
Shareholder Value”. Strategic Risk Management Objectives are embedded in the
Strategy Map.
Using Strategy
Using Strategy Maps
Maps to
to Incorporate
Incorporate Strategic
Strategic Risk
Risk Management
Management Objectives
Objectives
Create and Protect Shareholder Value
Profitable Growth from New Increase Value from Existing Organizational

Financial Improve Productivity
Technologies and Services and New Customers Efficiency and Leverage
Strategic Objectives
Customer Be the Leader in Develop Technologies to Deliver Highly

Customer Focused
Strategic Objectives Cost & Quality Improve Cost & Performance Valued Solutions
Strategic 1-Operational 2-Create Value with 3-Grow High Value 4-Organizational

Themes excellence Technology Customer Relationships Alignment
Internal Process
Strategic Objectives
Reduce costs Disciplined Investment Improve Pricing Communication
in New Technologies Discipline
Improve quality and costs Enable Rapid New Teaming
continuously Drive Packaging Product introduction
Technology Information Sharing
Leverage an Open
Eliminate non-value Leverage Technology Collaboration Technology Roles and Alignment
added processes Transfer Model
Licensing Secure long term market Strategic Risk
Risk Management: Share and Technology Management
Liability for Failures Risk Management: Licenses
Protect IP ERM Initiative
Risk Management Risk Assessment
Protect IP
Capabilities and Growth Organizational Alignment-Create a high performance culture and infrastructure
Strategic Objectives Develop Balanced Expand and Build Develop Leadership Enable and Encourage
Retain and Develop
Scorecard and Strategic Skills, Risk And Execution-Driven Continuous Learning
Critical Talent
Strategy Maps Management Culture Culture and Knowledge Sharing
2
© Copyright Dr. Mark L. Frigo 2010 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
17

Chapter 1
The management team also used the exhibit below to visualize the intersection of
Strategy and Strategic Risk Management, which is Strategy Execution.
Example: Connecting Strategy, Execution and Risk Management
Strategy Strategy Execution Strategic Risk Management

• The Return Driven Strategy • Strategy Map: Describes the • Risk Assessment and Risk
framework provides a way to align the strategic themes and strategic Management need to be highly
business strategy to optimize wealth objectives with the four perspectives of connected with Strategy and
creation. the Balanced Scorecard: Financial, Execution to be effective.
• It provides a logic and language for Customer, Internal Process and • The Strategic Risk Management
having an honest discussion about Capabilities. framework about provides a
strategy and strategic initiatives. • Strategic Themes: Describe the convenient way to organize risk
• It provides a “way of thinking”, as primary pathways to growth and information and risk areas.
way of strategic thinking on a day to profitability. • Since risks are often interconnected
day basis. • Strategic Objectives: Describe what and interrelated, the framework
• It provides an architecture which needs to be done to achieve the provides a way to understand the
leads to the four perspectives of the strategic themes. totality of risk impacts as well as
Balanced Scorecard and Strategy • Execution Plans: Include understanding the cause and effect
Maps: Financial, Customer, Internal performance measures, targets and linkages of risks.
Processes, and Capabilities and actions plans.
Growth. •Strategic Risk Management
• It provides a way to organize risks. Objectives are embedded
Strategy
• The Return Driven Strategy framework provides a way to align the business
strategy to optimize wealth creation.
• It provides a logic and language for having an honest discussion about
strategy and strategic initiatives.
• It provides a “way of thinking”, as way of strategic thinking on a day to day
basis.
• It provides an architecture which leads to the four perspectives of the
Balanced Scorecard and Strategy Maps: Financial, Customer, Internal
Processes, and Capabilities and Growth.
• It provides a way to organize risks.
Strategy Execution
• Strategy Map: Describes the strategic themes and strategic objectives with
the four perspectives of the Balanced Scorecard: Financial, Customer,
Internal Process and Capabilities.
• Strategic Themes: Describe the primary pathways to growth and
profitability.
• Strategic Objectives: Describe what needs to be done to achieve the strategic
18

themes.
• Execution Plans: Include performance measures, targets and actions plans.
• Strategic Risk Management Objectives are embedded in the Strategy Map.

• Risk Assessment and Risk Management need to be highly connected with
Strategy and Execution to be effective.
• The Strategic Risk Management framework about provides a convenient
way to organize risk information and risk areas.
• Since risks are often interconnected and interrelated, the framework
provides a way to understand the totality of risk impacts as well as
understanding the cause and effect linkages of risks.
19

20

What is Strategic Risk Management?
This chapter defines Strategic Risk Management and discusses its growing importance.
• What is Strategic Risk Management? 22

• Creating a Strategic Risk Mindset and Culture 36
• The Directors Primer on Strategic Risk Management 45
• Risk Management Guiding Principles 51
21

Chapter 2
Background on Risk Management

Managing risk is certainly not a new concept to businesses and their executives. Many
executives easily comment on the fact that they have been managing risks for their
entire careers. It is also clearly evident that many companies have had long and
successful histories of managing risk and delivering value to their stakeholders,
especially in the post-world war II environment of the 50’s, 60’s and into the 70’s. All
this has occurred with few organizations having formal risk management functions or
risk officers and without any real transparency. In cases where “risk management” units
or officers were found, quite often those units function was to manage the organization’s
various insurance needs.
The decade of the 70’s saw the development of “capital markets” activities, especially in
the banking industry. The growing and complexity of the initial derivatives products
and related trading activities spawned the first “risk management” functions in those
banking organizations. These functions were primarily focused on trading and portfolio
exposures and risks as the bank grappled with the risks in these newer products.
As the complexity of financial products and markets continued to evolve, there was a
growing focus on risk management including the expansion of the focus to the broader,
enterprise-wide risks facing organizations. Risk management practices and processes
continued to develop along with a growing awareness of risk on the part of boards and
audit committees. However, there was a lack of an accepted framework or standard that
could be used to evaluate risk management activities.
To address that situation, the Committee of Sponsoring Organizations of the Treadway

Commission (COSO), undertook a project to develop a framework that could be used by
managements to evaluate and improve their organizations’ risk management activities.
In 2004, COSO issued “Enterprise Risk Management – Integrated Framework” to fill
that gap. The COSO framework is a robust, enterprise-wide framework that is intended
to encompass enterprise risk management (ERM) and be applied in both strategy and
across the enterprise, “at every level and unit.”
While the COSO ERM gained wide-spread recognition and acceptance, it’s
development and publication coincided with the implementation of the Sarbanes-Oxley
Act of 2002 (SOX). For many organizations and their audit committees, dealing with
the implementation and reporting requirements of SOX were overwhelming and
demanded virtually all their attention. Audit committees became very “compliance”
22

focused and had little time left to deal with strategic issues or risk. Significant attention
was placed on the COSO Internal Control Framework, which was extensively used by
organizations in complying with the financial controls related requirements of SOX.
However, much less, if any attention was given to the COSO ERM Framework as SOX
did not require or really address ERM.
Following the period of SOX implementation, the past few years have seen an
unprecedented series of economics losses and the disappearance of shareholder value as
certain organizations have been negatively impacted by various events and risks. This
situation has caused a re-focus on what and how boards and executives are managing
the risks in their organizations. As a result, a number of countries, such as the US, UK
and Australia have now required boards and/or audit committees to focus more on risk
and risk management. For example, the Listing Requirements of the New York Stock
Exchange (NYSE) now require audit committees of listed companies to discuss their
organizations polices related to risk assessment and risk management. In their
commentary on this requirement, the NYSE indicates the audit committee must,
“discuss guidelines and policies to govern the process by which risk assessment and
management is undertaken.” Similarly, rating agencies, including Moody’s and
Standard & Poors also indicated their interest and focus on risk management practices
including full ERM.
The Advent of Strategic Risk Management

Today, directors and executives are seeing increased expectations from shareholders,
regulators, rating agencies, and other stakeholders that they understand and are
managing their strategic risks and that there is transparency around that management
process. For example, a recent study by PricewaterhouseCoopers indicated that,
“Increasing stakeholder scrutiny has been a key driver for the recent developments of
ERM and is set to raise the bar still further in the coming years.” Fortunately, with SOX
now fully implemented and operational, audit committees are finding the time available
to move further into understanding the organization’s risk management activates. A
survey conducted in 2008 by KPMG found that “Overall, the nearly 300 public
company audit committee members who responded to this year’s survey ranked risk
management as their top priority.”
While ERM and risk management in general, can encompass a wide range of risks, it
appears that this re-emergence of risk management, when coupled with the catastrophic
losses incurred by some organizations, has given rise to focus on “strategic risk
management.” Strategic risk management can be defined as “the process of identifying,
assessing and managing the risk in the organization’s business strategy – including
23

Chapter 2
taking swift action when risk is actually realized.” It includes recognition that there
should be a clear and transparent linkage and alignment between and organization’s
business strategy, the risks related to that strategy and overall objectives of the
organization. Strategic risk management then is focused at the most consequential and
significant risks to shareholder value; clearly an area deserving of the time and attention
of executive management and the directors. An excellent set of attributes for strategic
risk management is contained in the 2008 announcement by S&P, these include;
- “Management’s view of the most consequential risk the firm faces, their
likelihood, and potential effect,
- The frequency and nature of updating the identification of these top risks,
- The influence of risk sensitivity on liability management and financial decisions,
and
- The role of risk management in strategic decision making.”
Clearly then, strategic risk management starts with a basis in the core business strategy
of the organization and the risk imbedded in it. However, given the dynamic nature of
risk, it then also encompasses strategic decisions and also the potential impact of
emerging internal and external events. It appears that some of these issues, strategic
decisions, external events, were items that created or magnified some of the strategic
risks that resulted in significant value losses to stakeholders in some originations.
Alignment is also a critical component of strategic risk management. Again, learning

from some of the recent events, it appears that in certain organizations, there was a not
alignment between certain management and executive compensation programs and the
longer term financial objectives of the organization and its shareholders.
A further critical component of strategic risk management is the articulation of the

organization’s risk appetite. In Moody’s 2006 release on “Best Practices for a Board’s
role in Risk Oversight,” they discuss the importance of the board discussing and
approving a firm’s risk appetite. Moody’s comments note that they, “believe that
explicit discussions surrounding a firm’s overall risk appetite often are perfunctory, and
sometimes non-existent.” They recommend the board discuss and approve the firms
risk appetite as part of their approval and review of the business plans.
Accordingly, strategic risk management has become an expected and key component of
an organization’s overall governance processes. There is an expectation that the
directors understand the key strategic risks to the organization and also that they are
performing an appropriate oversight of management’s risk management processes.
24

Strategic Risk Management and ERM

As noted above, the term ERM is commonly used to refer to an overall, all-
encompassing set of risk management processes. Strategic risk management is really a
sub-set of ERM, which includes many of the processes described in the COSO ERM
Framework. However, it is also the observation of the authors that frequently, the term
ERM is being used to describe a formal unit within the organization that conducts risk
management activities. This can lead to an erroneous assumption that to perform risk
management or ERM, the organization needs to form and staff a separate “ERM” unit
with associated costs and complexities. Based on this erroneous assumptions, some
organization’s have been reluctant to move very far into risk management because of the
associated expenses they believe are involved in formed a fully dedicated ERM unit.
We believe that boards can enhance their risk management processes and conduct
strategic risk management without needing to form a fully dedicated ERM unit. The
important item it not to form an ERM unit, but to undertake the processes of strategic
risk management. Support for the board can come from any number of areas within the
organization to start. It is also the observations of the authors that risk management has
a maturity curve and organization’s move up the maturity curve as they become more
knowledgeable about risk management, ERM and their own needs. Organizations rarely
move from one extreme of the curve to the other, or in another words, move from no
risk management processes to fully-staffed ERM functions.
Accordingly, it is not necessary to form and staff a stand-alone ERM unit to conduct
strategic risk management. In fact, strategic risk management is a good starting point
for directors and executive management. It focuses them on the risks that are most
important to them and brings to light core risk management processes that can be the
basis for further evolution and, possibly, full-fledged ERM.
ERM and Its Role in Strategic Planning and Strategy Execution

Enterprise risk management (ERM) has rightfully become a top priority for directors
and executive management. The 2008 economic crisis is highlighting the disastrous
results when risks associated with strategies are ignored or ineffectively managed.
Coming out of the crisis are numerous calls for improvements in overall risk oversight,
with a particular emphasis on strategic risk management.
One of the major challenges in ensuring that risk management is value creating is to
incorporate ERM in business and strategic planning of organizations. The silos that
separate risk management functions in organizations also create barriers that separate
strategic planning from ERM. In many cases, risk management activities are not linked
25

Chapter 2
or integrated with strategic planning and strategic risk can be overlooked, creating
dangerous “blind spots” in strategy execution and risk management that can be
catastrophic. The challenge, as well as opportunity, for organizations is to embed risk
thinking and risk management explicitly into the strategy development and strategy
execution processes of an organization so that strategy and risk mindsets are one in the
same.
RISING EXPECTATIONS FOR STRATEGIC RISK MANAGEMENT7

Expectations that boards of directors and senior executives are effectively managing
risks facing an enterprise are at all-time highs. Much of this shift in expectations was
prompted initially by corporate scandals and resulting changes in corporate governance
requirements, such as the Sarbanes-Oxley Act of 2002 (SOX) and the NYSE Corporate
Governance Rules updated in 2004. Debt rating agencies such as Standard & Poor’s,
Moody’s, and Fitch now examine enterprise-wide risk management practices of
institutions as part of their overall credit-rating assessment processes. Their particular
focus is on understanding the risk management culture and the overall Strategic Risk
Management processes in place.8
The economic crisis that began in 2007 is now shining a huge spotlight on the board and
senior management’s enterprise-wide risk management processes. Reform proponents
are pointing to failures in the overall risk oversight processes, including unaware boards,
overreliance on sophisticated models, and under-reliance on sound judgment. Critics
argue that because returns on certain strategic initiatives were so great, risks that were
present were either unknown or ignored.9 Numerous calls are now arising for drastic
improvements in risk management, with a specific call for more formal risk
considerations in managing an organization’s deployment of specific strategic
initiatives.
This sentiment is evidenced by Federal Reserve Governor Randall S. Kroszner’s

October 2008 speech where he argued that financial institutions must improve the
linkage between overall corporate strategy and risk management given that
“survivability will hinge on such an integration.” Governor Kroszner noted that many
firms have forgotten the critical importance of undertaking an adequate assessment of
7
This section is adapted from Beasley, Mark S. and Mark L. Frigo “Strategic Risk Management: Creating
and Protecting Value” Strategic Finance, May 2007.
8
For example, see Standard & Poor’s, Enterprise Risk Management: Standard & Poor’s To Apply
Enterprise Risk Analysis to Corporate Ratings, May 2008, www.standardandpoors.com, New York, NY.
9
For example, see The New York Times Magazine “Risk MisManagement” January 4, 2009 feature story
that was highly critical of the short comings of risk oversight processes at many of the failed financial
services institutions.
26

risks associated with the overall corporate strategies.10
This shift towards greater expectations for effective enterprise-wide risk management
oversight is complicated by the fact that the volume and complexities of risks affecting
an enterprise are increasing as well. Rapid changes in information technologies,
globalization and outsourcing, the sophistication of business transactions, and increased
competition make it that much more difficult for boards and senior executives to
effectively oversee the constantly evolving complex portfolio of risks.
Even before the recent financial crisis, board members believed that risks were
increasing. Ernst & Young’s 2006 report, Board Members on Risk, found that 72% of
board members surveyed believed that the overall level of risk that companies face has
increased in the past two years, with 41% indicating that overall levels of risk have
increased significantly. 11 Given recent events, that concern is only heightened.
Similarly, management has a similar observation. IBM’s 2008 Global CFO Study
reported that 62% of enterprises with revenues greater than $5 billion encountered a
major risk event that substantially effected operations or results in the last three years
and nearly half (42%) stated that they were not adequately prepared.12
Many of the risks threatening an enterprise are difficult to see and manage, given their
systemic nature. However, while many risks may be unknown, they often have a similar
impact. Management and boards of directors are increasingly being held accountable
for considering the probabilities and impact of various possible risk scenarios tied to
their overall business strategies, even for risk events that may not be foreseeable. For
example, the events of 9/11 and the catastrophic impact of Hurricane Katrina, while
“unknown” by most, had similar impacts: loss of employees, destroyed operations,
damaged IT infrastructure, lack of cash flow, etc. While management and boards are not
expected to predict the next 9/11 type event, they are expected to consider and be
proactive about thinking of responses to events (whatever the cause) that might have a
similar impact. That is, management should have a plan for any significant scenario that
might lead to consequences that might be detrimental to its core strategy, such as a loss
of employees, destroyed operations, damaged IT infrastructure, lack of cash flow,
drastic shift in regulations, etc.
10
Federal Reserve Governor Randall S. Kroszner’s speech, “Strategic Risk Management in an
Interconnected World,” October 20, 2008, Baltimore, Maryland (www.federalreserve.gov).
11
Ernst & Young 2006 report, Board Members on Risk (www.ey.com).
12
IBM Global Business Survey’s “Balancing risk and Performance with an Integrated Finance
Organization: The 2008 Global CFO Study,” 2008,
27

Chapter 2
The rise in the volume and complexities of risks is complicated by the fact that many of
the techniques used by boards and senior executives are dated, lack sophistication, and
are often ad hoc. Few boards and senior executives have robust key risk indicators that
provide adequate data to recognize shifts in risks patterns within and external to their
organizations, resulting in an inability to proactively alter strategic initiatives in advance
of risk events occurring. This has created an “expectations gap” between what
stakeholders expect boards and senior executives to do regarding enterprise-wide risk
management and what they actually are doing.
In response to these changing trends, organizations are embracing ERM because it

emphasizes a top-down, holistic approach to effective risk management for the entire
enterprise. The goal of ERM is to increase the likelihood that an organization will
achieve its objectives by managing risks to be within the stakeholders’ appetite for risk.
ERM done correctly should ultimately not only protect but also create stakeholder value.
ERM Positioned as Value-Creating

ERM differs from a traditional risk management approach, frequently referred to as a
“silo” or “stovepipe” approach, where risks are often managed in isolation. In those
environments, risks are managed by business unit leaders with minimal oversight or
communication of how particular risk management responses might affect other risk
aspects of the enterprise, including strategic risks. Instead, ERM seeks to strategically
consider the interactive effects of various risk events with the goal of balancing an
enterprise’s portfolio of risks to be within the stakeholders’ appetite for risk. The
ultimate objective of increasing the likelihood that strategic objectives are realized and
value is preserved and enhanced.
Traditional Risk Management Approach
Many companies take a “silo” approach to managing risk.
Operations Finance Human IT Risks Legal Reputation

Strategic
Risks Risks Risks Capital Risks Risks
Risks
“Silo” or “Stove-Pipe” Risk Management
28

Enterprise Risk Management Brings Risks Together
Valuation Creation and Preservation
Enterprise Focus on Risks
Strategic Operations Finance Human IT Risks Legal Reputation

Risks Risks Risks Capital Risks Risks
Risks
Key Messages:
1. Need to manage risk in an integrated fashion across the
enterprise
2. Risk management not only preserves value but also can
help create value
Several conceptual frameworks have been developed in recent years that provide an
overview of the core principles for effective ERM processes. In 2004, the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) issued its Enterprise
Risk Management--Integrated Framework, with this definition of ERM (see
www.coso.org):
Enterprise risk management is a process, effected by the entity’s board of directors,

management, and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be
within the risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives.
29

Chapter 2
The Relationship between Strategy and Risk is not a new

idea!
“Enterprise risk management is a process, effected by

the entity’s board of directors, management, and other
personnel, applied in a strategy setting and across the
enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within the
risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.”
Enterprise Risk Management—Integrated Framework

Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2004
© Copyright Mark L. Frigo 2008 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo Page 12
Note that ERM is directly related to “strategy setting”. For ERM to be value creating, it
must be embedded in and connected directly to the enterprise’s strategy. Another part
of this definition refers to the goal of ERM, which is to help the enterprise achieve its
core objectives. So, to be effective, ERM must be part of strategic planning process
and strategy execution processes.
30

Enterprise Risk Management (ERM)
There are three key elements to the definition of ERM that

relate to strategy.
1. ERM is directly related to strategy setting. For ERM to be

effective, it must be embedded in and connected directly to
the enterprise’s strategy processes.
2. ERM is designed to identify events that could affect the

company and the performance of its strategy.
3. A fundamental goal of ERM is to provide reasonable

assurance that the enterprise achieves its strategic
objectives.
Conclusion: Strategy and ERM need to be connected!

© Copyright Mark L. Frigo 2008 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo Page 13
The Conference Board’s 2007 research study, Emerging Governance Practices in

Enterprise Risk Management, notes that while many organizations are engaging in some
form of ERM, only a few have full-fledged ERM program infrastructures.13 Many of
these organizations initially launched their ERM efforts out of a compliance function,
such as compliance with SOX, emerging privacy legislation, and environmental
regulations, among others. More boards and senior executives are now working to shift
their ERM approach from a compliance orientation to a strategic orientation, consistent
with the view that an enterprise-wide approach to risk management should be value
enhancing. A 2008 survey, The 2008 Financial Crisis: A Wake-Up Call for Enterprise
Risk Management, by the Risk and Insurance Management Society (RIMS) found that
about 65% of the businesses surveyed have begun or plan to implement a strategic risk
management system.14
Board Demand Better Strategic Risk Management

Boards are feeling an increasing pressure to strengthen their overall oversight of the
enterprise’s risk management processes, with a stronger emphasis on strategic risk
management. Recent reports, such as The Conference Board’s Overseeing Risk
Management and Executive Compensation report issued in December 2008, note that
13
The Conference Board’s 2007 research study, Emerging Governance Practices in Enterprise Risk
Management.
14
The 2008 Financial Crisis: A Wake-Up Call for Enterprise Risk Management, by the Risk and
Insurance Management Society (RIMS).
31

Chapter 2
while companies report some progress in developing an enterprise-wide risk

management program, it has yet to be adequately embedded in strategy execution and
entity culture.15
Boards are becoming more aggressive at pushing management to reassess vulnerabilities

in existing risk management processes and to begin strengthening the soundness of its
risk management analysis to the company’s strategic setting activities. Benchmarking
surveys about the state of ERM consistently find that the launch of ERM is often tied to
the board’s (more specifically the audit committee’s) demand for more robust risk
management processes. Boards are now asking management about their risk oversight
processes and they are adding formal risk discussions to their agendas on a regular
basis. 16 Board are also seeking to take a strategic view of Governance, Risk and
Compliance (GRC) by setting and articulating the organization’s “Enterprise Risk
Policy and Appetite” and the role of each GRC function. 17 Despite these emerging
trends, board members still believe they need to have a better handle around issues
affecting strategic risk.
In his latest book, Owning Up: The 14 Questions Every Board Member Needs to Ask,
Ram Charan’s one of the questions is “Are we addressing the risks that could send our
company over the cliff?” 18 According to Charan, boards need to focus on the risk that
is inherent in the strategy and strategy execution:
“Risk is an integral part of every company’s strategy; when boards review
strategy, they have to be forceful I asking the CEO what risks are inherent in the
strategy. They need to explore “what ifs” with management in order to stress-test
against external conditions such as recession or currency exchange
movements.”19
Regarding risk culture, Ram Charan provides the following insight: “Boards must also
watch for a toxic culture that enables ethical lapses throughout the organization.
Companies set rules – but the culture determines how employees follow them.”20
15
The Conference Board’s Overseeing Risk Management and Executive Compensation Report (December
2008).
16
See the article by Mark Beasley, Bruce Branson, and Bonnie Hancock, titled “Rising Expectations:
Audit Committee Oversight of Enterprise Risk Management,” Journal of Accountancy, April 2008, pp.
44-51.
17
See the article by Mark L. Frigo and Richard J. Anderson, “A Strategic Framework for Governance,
Risk and Compliance” Strategic Finance February 2009.
18
Charan, Ram Owning Up: The 14 Questions Every Board Member Needs to Ask, John Wiley & Sons
(2009)
19
(2009) p. 23
20
32

Regarding CEO compensation and risk management, Ram Charan’s commented:

“Using a single measure, even a sophisticated one like economic value added, can’t be
relied upon. ……..and they shouldn’t all be accounting measures ………Those
measures miss the risks that could become evident at a later date, a phenomenon we
witnessed in most invest banks……… (measures) should acknowledge risk factors that
don’t lend themselves well to quantification, thus allowing the board to exercise its
judgment on whether management achieved its goals with appropriate risk.”21
Critical Steps for Value-Added Strategic Risk Management

Strategic risk management is increasingly being viewed as a core competency at both
the management and board levels. In fact, board members are increasingly focused on
strategic risk management, asking executives such questions as “Of the top five strategic
business risks the company faces, which ones are you looking at, and what are
countermeasures are you devising?” The Strategic Risk Management Lab in the Center
for Strategy, Execution, and Valuation at DePaul University is sharing with
management teams and boards emerging best practices gleaned from its research.
Consider the following a working list of practices worth striving toward.22
1. Communicate and share information across business and risk functions—
and externally This is considered by some to be the ultimate risk management
“best practice”.
2. Break down risk management silos. Establish interdisciplinary risk
management teams, so that each functional area can understand where it fits
into the entire company strategy and how it affects other areas.
3. Identify and, where possible, quantify strategic risks in terms of their impact
on revenue, earnings, reputation, and shareholder value.
4. Make strategic risk assessments part of the process of developing strategy,
strategic plans, and strategic objectives. Again, this requires a combination of
skills that can be achieved by creating interdisciplinary teams.
5. Monitor and manage risk through the organization's performance
measurement and management system, including its Balanced Scorecard.
6. Account for strategic risk and embed it within the strategic plan and strategic
plan management process. Wherever scenario planning is included in the
strategic plan, there should also be a discussion of countermeasures in the event
that a risk event occurs.
(2009) p. 28
21
(2009) p. 87
22
See article by Mark L. Frigo, “Strategic Risk Management: The New Core Competency” Balanced
Scorecard Report, January-February 2009
33

Chapter 2
7. Use a common language of risk throughout your organization. Everyone must

understand the organization's particular drivers of risk, its risk appetite, and what
management considers acceptable risk levels.
8. Make strategic risk management, like strategy management itself, a
continual process. Risk is inherently dynamic, so risk management and
assessment must evolve from being an event to being a process—and must
include regular analysis and critical risk information refreshes. Strategic risk
management reviews should be conducted as part of regular strategy reviews.
9. Develop key risk indicators (KRIs) to continuously monitor the company's
risk profile. Like the Balanced Scorecard with its measures, targets and
initiatives, the risk management system should include KRIs, thresholds and
trigger points, and countermeasures to mitigate or manage the risk.
10. Integrate ERM into Strategy Execution Systems. This means integrating ERM
into entire management system. This will require strategic risk management as a
core competency in organizations and a commitment to continuously monitor
and manage risk in the strategy and its execution.
Moving Forward with Strategic Risk Management

The need to connect strategy and enterprise risk management couldn’t be more relevant
than it is in the current economic climate. Effective strategic risk management is likely
to make the difference between survivability and demise for many. Designed
effectively, the connection of ERM and strategy should be value adding, allowing the
enterprise to be more proactive and flexible in managing uncertainties tied to strategies
as they unfold.
The key to successful strategic risk management is the ability to identify those risks that
are embedded in the organization’s business strategy that are potentially the most
consequential. Focusing on strategic risks serves as a filter for management and boards
of directors to reduce the breadth of the risk playing field and ensure that they are
focused on the right risks.
34

What is “Strategic Risk Management?”
Strategic Risk Management is a process for identifying, assessing and

managing risk anywhere in the strategy with the ultimate goal of
protecting and creating shareholder value. It is a primary component
and foundation of Enterprise Risk Management; is effected by boards
of directors, management and other personnel; it requires a strategic
view of risk and consideration of how external and internal events or
scenarios will affect the ability of the organization to achieve its
objectives; it requires an organization to define a tolerable level of
risk or risk appetite as a guide for strategic decision making; and is a
continual process which should be embedded in strategy setting and
strategy management.-
Mark L. Frigo, “When Strategy and ERM Meet” Strategic Finance January 2008
Definition of “Strategic Risk Management”
1. A process for identifying, assessing and managing risk anywhere in

the strategy with the ultimate goal of protecting and creating
shareholder value.
2. A primary component and foundation of Enterprise Risk Management
(ERM);
3. Effected by boards of directors, management and others;
4. Requires a strategic view of risk and consideration of how external
and internal events or scenarios will affect the ability of the
organization to achieve its objectives;
5. Requires an organization to define a tolerable level of risk or risk
appetite as a guide for strategic decision making;
6. A continual process which should be embedded in strategy setting
and strategy management.
35

Chapter 2
CREATING A STRATEGIC RISK MINDSET AND CULTURE23

How risky is our strategy? What events and risk scenarios could ruin our business? Do
we have the right countermeasures and risk management strategies in place? These are
just some of the questions on the minds of executives and board members today.
A Strategic Risk Management Mindset

A strategic risk management mindset focuses on examining how well a business
strategy will perform under different scenarios and events. It encourages and supports
thinking about scenarios where the strategy could perform so poorly that it could
potentially result in significant losses, destruction of shareholder value, or a damaged
corporate reputation. For example, management at Fidelity Investments knows that
their strategy of providing investment services to an investor base all across the globe
creates unbelievable demand for resiliency in its information technology functions. The
tolerance for information systems outages or lack of access to pricing information
approaches zero. They know that customers have little appetite for Fidelity to say their
“systems are down.” Thus, one of the key areas of focus of Fidelity’s Risk Advisory
Services Group is to oversee the business continuity planning processes at Fidelity.
A strategic risk mindset should also consider the “upside” of risk. 24 For example,
Target sidestepped the competitive threat from Wal-Mart by focusing on a customer
segment different from Wal-Mart’s and achieved profitable growth opportunities in the
process. As another example, Samsung confronted with serious brand erosion and
commoditization risk turned its attention to build on product innovation, speed to
market and a strong brand to turn a position of weakness into a position of market
strength.
Risk can include loss of tangible assets, and it can also mean the potential loss of one of
the company’s most valuable assets—its reputation.25 The H.J. Heinz Company has
centered its enterprise risk management function around supporting an ultimate goal of
protecting the Heinz reputation. In fact, its ERM program is formally known within as
“Enterprise Reputation and Risk Management (or ER2M).” Heinz’s ER2M helps enable
the company to meet two primary reputation related goals: to further support doing the
common thing uncommonly well and to help Heinz become the most trusted packaged
23
This section is adapted from Frigo, Mark L. “When Strategy and ERM Meet,” Strategic Finance,
January 2008.
24
See Slywotzky, Adrian, The Upside of Risk: The 7 Strategies for Turning Big Threats Into Growth
Breakthroughs, Crown Business, 2007.
25
For a discussion on the importance of reputation risk management, see the article by Robert Eccles,
Scott Newquist, and Roland Schatz titled “Reputation and Its Risks,” Harvard Business Review, February
2007.
36

food company. To help management see the importance of thinking about risk and
reputation, Heinz defines risks as “anything that can prevent the company from
achieving its objectives.” They recognize that any event that affects the Heinz reputation
in the food industry will directly impact its ability to achieve its objectives.
Ultimately, strategic risk management and ERM need to be connected with the potential
impact on shareholder value. Effective strategic risk management should provide a way
for identifying and evaluating how a wide range of possible events and scenarios will
impact a business’s strategy execution, including the impact on the assets and
shareholder value of the company. That’s how risk management is positioned at the
Dow Chemical Company. The objective of effective enterprise risk management at Dow
is to improve management’s ability to run its business under the view that if they can
manage risks better, they can be more competitive. Management and the board realize
they have the responsibility to pursue opportunities, which will require the assumption
of risks. They seek to assume those risks in a well-managed, controlled manner that
recognizes the reality that as new strategies are created, new risks arise that need to be
managed.
The Return Driven Strategy framework provides a way to evaluate the strategic risks of
a company from the perspectives of shareholder value risk, financial reporting risk,
governance risk, customer and market risk, operations risk, innovation risk, brand risk,
partnering risk, supply chain risk, employee engagement risk; R&D risk, and
communications risk. It also provides a useful framework for understanding the cause-
and-effect linkages in critical risk scenarios and explains how those scenarios would
play out in the business strategy and impact profitability, growth, and shareholder
value.26
The framework encourages thinking around these risk categories:

• Shareholder Value/Investor risk provides a high-level overview of risk and is
driven by future growth and return on investment as reflected in the plans of the
company and the company’s perceived ability to execute on it. Anything that
will impede growth and returns, including the risk of unethical activities of the
company, should be considered in assessing shareholder value risk using the first
tenet of Return Driven Strategy®, “Ethically Maximize Wealth.”
26
For more about Return Driven Strategy, see Mark L. Frigo and Joel Litman, Driven: Business Strategy,
Human Actions and the Creation of Wealth, Strategy and Execution, 2008 and see
www.returndriven.com.
37

Chapter 2
• Financial reporting risk is driven by reporting irregularities in areas such as

revenue recognition, which can result in restatements of financial reports and be
devastating to shareholder value.
• Governance risk is driven by factors such as controls and governance
capabilities, including the need for compliance with laws and regulations.
• Customer and market risk is driven fundamentally by the extent to which a
company’s offerings fulfill otherwise unmet needs, and this provides protection
against competition.
• Operations risk can be driven by any part of the value chain and often surfaces
with the inability to deliver offerings, which is at the heart of Return Driven
Strategy.
• Innovation risk is driven by the inability to change or create offerings that fulfill
customer needs better than your competitors do.
• Brand risk includes the risk of brand erosion and damage to a company’s
reputation.
• Partnering risk is driven by the activities of your partners, from vendors to joint
ventures, to other associations, including counter-party risks.
• Supply chain risk focuses on the increasing risk in outsourcing and global supply
chains.
• Employee engagement risk is driven by the employment practices of the
company.
• R&D risk is driven by the processes and pipeline of options for new offerings for
future growth.
• Communications risk is driven by how well your company communicates
internally and externally.
Recognizing Value of Strategic Risk Management at High-Performance

Companies
Research on high-performance companies can provide valuable insights about risk
management. High-performance companies are vigilant to forces of change, and they
manage risks and opportunities better than other companies. The Return Driven
Strategy® framework developed during a decade-long study describes the types of
business strategy and activities that have been shown to drive superior and sustainable
performance, based on a decade-long study of more than 15,000 high-performance
companies around the world, using more than 25 years of performance data. The
Return Driven Strategy® framework is built on a simple premise: by better
understanding how the success or failure of a business is driven by its plans and actions,
we can improve how we value companies—and run our businesses.
38

The research provides valuable insight about risk management. High-performance

companies are vigilant to the forces of change, and they manage risks and opportunities
better than other companies. Companies can use the framework to identify and assess
risk in their strategic plans, to develop performance measures to monitor those risks, and
to identify risk metrics for Balanced Scorecards and strategy maps.
One of the challenges facing management teams is how to link business plans and
enterprise risk management. As executives and directors review plans and strategies,
they can use three approaches to improve ERM with the ultimate goal of protecting
shareholder value and corporate assets.
There are three approaches for effective strategic risk management to consider: (1) a
strategic risk assessment process, (2) a process to identify and protect Genuine Assets
that are at risk, and (3) strategic risk monitoring and performance measurement.
Building a Strategic Risk Assessment Process

A simple process for strategic risk assessment involves four steps:27
1. Risk Assessment of Plans. Strategic risk assessment can begin by conducting an
overall risk assessment of strategic plans, including an understanding of how they drive
value and the key assumptions those plans are based upon. This assessment includes
scenario analysis of various iterations of changing assumptions surrounding drivers of
the strategy.
2. Identify Critical Risk Scenarios. The next step is to identify and describe
“critical risk scenarios” considering the severity and likelihood of the events and
scenarios that might occur, especially those outside management’s control, such as
systemic risks. At this stage, management and the board need to define their overall
appetite for these critical risk scenarios.
3. Identify Countermeasures. Next, management would identify possible
countermeasures for managing the critical risk scenarios and would consider the
cost/benefit of the countermeasures.
4. Establish a Process for Continuous Monitoring. Management would establish
a process for continuous monitoring of the risk profile of the company, including the use
of key risk indicators (KRIs) and best practices of performance measurement and
performance management such as the balanced scorecard.
Here are some questions to address during a strategic risk assessment process:
• What events or scenarios could create significant downside risk in your
business strategy and plans?
27
See article by Mark L. Frigo, “When Strategy and ERM Meet” Strategic Finance, January 2008
39

Chapter 2
• What key assumptions have been made about the viability of specific
strategic initiatives and what ranges of possible scenarios exist
surrounding the variability inherent in these assumptions?
• What is our appetite surrounding certain strategies and their associated
ranges of key risk exposures? What is the worst case scenario
surrounding each strategy and would the entity be able to survive certain
risk events?
• What countermeasures have been developed to address these risk
scenarios and events?
• Has the company considered the upside of risk and how it plans to realize
the opportunities?
• What are the roles of the CFO, general counsel, chief risk officer (CRO),
internal audit, and others in assessing and managing the threats and
opportunities in your plans and business strategy?
• How is enterprise risk management incorporated and embedded in your
plans and business strategy?
• What performance measures and key risk indicators are you monitoring
to continuously assess and manage strategic business risk?
There are several approaches to building a strategic risk management process. Several
are described next.
Risk Assessments--One approach is to regularly assess strategic risks from three
perspectives: risks, opportunities, and capabilities (ROC). Risks are about risk of loss--
the downside of risk, such as loss of revenue or loss of assets. Opportunities are about
the upside of risk, such as opportunities for gains in revenue, profitability, and
shareholder value. Capabilities are about distinctive strengths of an organization that
can be used to manage the risks and opportunities.
Tools for Risk Assessment--There are many tools that can be useful in strategic
risk assessment, including brainstorming, analysis of loss data, self-assessments,
facilitated workshops, SWOT (strengths, weaknesses, opportunities, threats) analysis,
risk questionnaires and surveys, scenario analysis, and other tools.
Competitive Intelligence--The area of competitive intelligence (CI) can be a
valuable part of strategic risk management. CI is an integral component of fact-based
strategic planning processes. It should definitely be part of strategic risk management
and ERM. “The ethical collection and analysis of CI can reduce the risk associated
with strategic decision making” says Gary Plaster of the Landmark Group and a
founding member of the Society of Competitive Intelligence Professionals. Around 400
BC, Sun-Tzu in The Art of War wrote “Keep your friends close and your enemies
closer” which is one way of thinking about CI. For example, pharmaceutical
companies are vigilant about being at trade shows and scientific meetings, and they
40

monitor clinical trials in the industry. “War games” are used at pharmaceutical
companies like Wyeth to develop plans to counter potential market moves by
competitors. Competitive intelligence is an asset that can be used to manage customer
and market risks.
Corporate Sustainability Risk--One of the areas often overlooked in risk
management is related to corporate sustainability and corporate social responsibility
(CSR). Connecting strategy and CSR is a challenge for executive teams, as Debby
Bielak, Sheila Bonini, and Jeremy Oppenheim wrote in their October 2007 article,
“CEOs on Strategy and Social Issues,” in The McKinsey Quarterly. The risks and
opportunities facing companies in the area of corporate sustainability are more complex
and have greater potential impact than ever before, and senior executives, board
members, and managers are seeking better ways to manage these challenges and
opportunities. In his book Making Sustainability Work, Marc Epstein presents a
definition for corporate sustainability that’s useful in strategic risk management. He
focuses on nine principles of sustainability: ethics, governance, transparency, business
relationships, financial return, community involvement/economic development, value of
products and services, employment practices, and protection of the environment. Each
of these areas can be assessed as part of strategic risk management. For example,
changes in environmental regulations and expectation of environmental standards for
companies in a global business environment should be considered in risk assessment
and risk management strategies.
Risk Transfer and Retention Strategies--One of the basic countermeasures for
managing and mitigating risk involves risk transfer and retention strategies. After
identifying critical risk scenarios, which include the potential effect on company assets
and shareholder value, management must determine how much should be retained or
transferred. The risk management strategy should consider whether to protect corporate
assets by purchasing insurance, self-insuring, or creating a captive. This assessment will
require a deep understanding of the types and limits of insurance and consideration of
emerging legal, regulatory, and political trends; damage awards; geographic locations;
available insurance products; and options as well as coverage law.
“Genuine Assets” at Risk

Some of the most valuable assets of an organization aren’t on the balance sheet.
Genuine Assets include the most valuable tangible and intangible resources and
capabilities of an organization and must be protected because some of them may be at
risk.28 Companies routinely insure tangible assets on the balance sheet to protect against
28
For an discussion on Genuine Assets, see Chapter 12 “Genuine Assets” in Frigo, Mark L. and Joel
Litman, Driven: Business Strategy, Human Actions and the Creation of Wealth, Strategy and Execution
(2008).
41

Chapter 2
loss. But what about protecting the Genuine Assets?
Genuine Assets are the tangible and intangible resources, capabilities, and traits that
make an organization and its offerings unique, such as employee expertise, brand,
reputation, etc. As mentioned, some Genuine Assets appear on the balance sheet, but
many don’t. As the “building blocks” of strategy, Genuine Assets form the basis for
creating sustainable competitive advantages. And only through these advantages can
you plan and execute business strategy that leads to higher returns, higher growth, and,
ultimately, increased market value.
Genuine Assets: Unique Capabilities and Resources at Risk
Activities can be copied:

Competitors can target the same
customers, the same needs
Everyone innovates, increase
efficiencies, actively brand
Genuine Assets create sustainable
differentiation
Lack of Genuine Assets lead to
commoditization
Genuine Assets create competitive

advantages
Proprietary customer information
Unique processes
Partnerships and relationships
Patents
Genuine Assets must be considered in ERM Brand equity, Reputation
What Genuine Assets are at Risk?
Deep domain expertise
What are the strategies to protect these assets?
When identifying these assets, management should be very specific as to what the
Genuine Asset is. They should think specifically about how it allows the company to
accomplish its strategy in ways other firms couldn’t, thereby leading to higher
performance. How difficult would it be for another firm to develop a similar Genuine
Asset, allowing it to copy the activity that led to high performance? How long would it
take? How much money would it cost?
42

Identifying Genuine Assets at Risk
Customer Relationships & Intellectual Capital

Intelligence Deep domain expertise
Strong Customer Relationships Patents and trademarks
Customer Intelligence Unique data or information or the ability to gather it if
Proprietary Customer Information necessary
Physical
Value Chain Relationships & Specialized or well-located facilities
Intelligence Specialized or well-located plants or distribution
Unique partners
Alliances Financial
Key vendors Deep pockets, CASH
Vendor Intelligence, Communication Access to capital
Unique government relationships Financial strategy that fits the organization
Management Talent and Human Resources

Brand Special characteristics of the Board, CEO, and executive
Reputation team such as industry relationships and expertise
Awareness Strong ethical leadership, teamwork
A very “deep bench”
Processes & Capabilities
Deep domain expertise Employees
Execution through Teamwork Employee knowledge
Product development processes Employee communication
Distribution or channel power Employee engagement
Economies of scale or scope
Customer communications processes
To help identify and manage the risk to Genuine Assets, management should ask three
questions:
1. What are the most valuable and unique capabilities and resources (Genuine
Assets) of the company?
2. What scenarios and events could put the most valuable Genuine Assets at risk?
3. What countermeasures can be developed to protect these assets?
Examples of Genuine Assets to consider in a risk assessment would include corporate

reputation, customer information, competitor intelligence, vendor intelligence,
specialized processes and capabilities, existing patents and trademarks, and intellectual
property that should be protected with patents, trademarks, and other means.
Customer information is an example of a Genuine Asset that must be protected.

Information security is a big issue at most companies, yet breaches occur, sometimes
with significant potential impact. For example, the British government recently
announced that government workers lost two computer disks containing names,
addresses, dates of birth, national insurance numbers, and banking information for
approximately 25 million residents of the U.K., almost half its population. Effective risk
management in the area of data security requires the right mind-set and attitude toward
information security among employees. It requires an understanding and awareness that
43

Chapter 2
the information on a $20 storage devise or a $1,000 laptop, if not protected, could result
in potential loss of customers, corporate reputation and shareholder value.
Some Genuine Assets can support and be part of an effective risk management strategy
and can help protect a company against risks. For example, having a “Plan B” in place
for potential disruptions in critical parts of the supply chain is an example of a Genuine
Asset for effective strategic risk management. Another example is employees having a
risk mind-set and risk attitude that support the organization’s strategy and risk appetite.
44

The Directors Primer on Strategic Risk Management
Introduction
Understanding and managing an organization's risks has becoming an increasingly
important part of governance processes and the role of the director. The activity
commonly referred to as “risk management” has continued to evolve and become more
recognized as a necessary part of an organizations overall governance process. Risk
management had its roots in the financial services industry but today it has found
applicability across all industries. This evolution has also included the awareness that,
while there are many risks faced by an organization on a day-to-day basis, the
organization’s strategic risks are the real purview and focus of directors. To help
management and directors move up the learning curve on risk management, this article
discusses some of the basic concepts of risk management, helps define strategic risk
management and offers practical recommendations for directors on these important
topics.
The New Dynamics of Risk and Risk Management

Understanding and managing an organization's risks is not new concept. In many ways,
understanding and managing risk has been a part of day to day management activities all
along. When the concept of risk management as a separate activity first surfaced, a not
uncommon reaction from management could have been paraphrased as “we manage risk
everyday, that’s what we get paid to do!” And, they were not wrong. Managers on a
day- to-day basis knew where the risks were and what could cause problems and would
address those. However, there was usually little transparency around the process of
managing risks and few attempts to compile and discuss the overall risk profile of the
organization.
Over the past few years, the concept of risk management as a separate activity has
developed and moved from a conceptual idea to become a more acknowledged part of
an organizations’ governance process. For many organizations, “risk management” had
been a term used solely to describe the organization’s process of obtaining insurance to
cover certain insurable risks. Risk management functions, focused on broader enterprise
risks first became more evident in the financial services industry in the 1980’s as those
organizations took on various trading and market risks. During the 2000’s, the concept
and activities of risk management functions evolved significantly as evidenced by these
four events.
o COSO Enterprise Risk Management – Integrated Framework,

September, 2004
45

Chapter 2
o NYSE Corporate Governance Listing Standards revision requiring audit

committees to discuss risk management, November, 2004
o Moody's Special Comment “Best Practices for a Board's Role in Risk
Oversight,” Aug 2006
o Standard & Poor’s announcement May, 2008 “Enterprise Risk
Management: Standard & Poor’s To Apply enterprise Risk Analysis to
Corporate Ratings”
These events made it clear that it is no longer sufficient for management to just say that
they managed risks every day. For example, Moody’s Special Comment indicates that,
“Moody’s set high expectations for boards’ role in shaping a firm’s risk appetite and
ensuring a proper risk management framework is in place.” There are clear needs for
organizations to acknowledge that risk management has to be a key governance activity,
up to and including the directors. Additionally, there is a corresponding need for
transparency around the risk management processes. Particularly given the focus of the
rating agencies, directors must insist that, if their organizations are not moving forward
on risk management on some basis, management begin to develop an approach to risk
management.
For this to occur, senior management and the directors need to move up a learning curve
on risk management, rather that attempting to leap from having no formal risk
management processes or function to a fully implemented enterprise risk management
function. Our observations from dealing with a number of organizations and their
directors are that systematically moving up the learning curve, rather than trying to leap
frog too far too fast, is a critical success factor in successfully evolving an organization's
risk management processes. The mantra should be to “get moving, but keep it simple.”
Taking small, understandable steps is important to keep everyone coming up the curve
together as is the need to keep moving up from one level to the next.
The Strategic Risk Management Perspective

Another critical success factor for implementing risk management is to acknowledge
that, while various types and levels of risks are everywhere you look, the focus of the
directors and senior management must be on the most strategic and significant risks.
This focus is now referred to as strategic risk management. In their May 2008
publication, Standard and Poor’s notes that strategic risk management, identifying and
managing those risks that are most consequential to the firm, is one of the two
predominate areas that its reviews will focus on. Also, keeping in mind the concept of
strategic risk management may be a useful filter for directors as they learn more about
their organization’s risks and debate the types of risks and activities that they should
46

focus on. This perspective can help the directors ensure that their valuable time and
efforts are focused at the right areas and risks.
Clearly then, one of the key challenges for directors is to understand the real strategic
risks that could impact shareholder value and the risk management processes around
those strategic risks. That requires a process between management and the directors to
identify and agree on those critical risks that can potentially have the most impact on
stakeholder value. This also must be a manageable and understandable set of risks.
Generating longs lists of possible risks events and page after page of risks and events,
while real, may be more confusing and cloud the identification of the most critical risks.
Applying the concept of strategic risk management, organizations recognize that while
many risks have the potential to cost the organization some money, certain risks have
the potential to significantly impact shareholder value. Those are the risks that should be
on the radar of the directors. To assist directors and management in identifying real
strategic risks, some organizations use a framework, such as the Return Driven Strategy
framework described below.
Moving up the Risk Management Learning Curve

To begin the process of education and moving up the risk management learning curve,
the directors should initially concentrate in two areas;
1. the identification of the organization’s risk profile and appetite, and
2. the understanding and evolution of management’s risk management processes.
47

Chapter 2
Moving Strategic Risk Management along the Value Continuum
Strategic
-Proactive board and
senior management
Aware involvement
-Board and senior -Risk managed and
management support assessed across entire
Reactive -Risk leaders identified organization using a
SRM framework
-Lack of Board or senior -Periodic risk profiling
management emphasis on risk -Common language and
-Key risks defined in approach used and
-No common risk language common vocabulary understood
-Stove-pipe risk management -Recognized need for -Continuous and Real-
ERM time monitoring and
-Ad hoc approach
analysis of risk portfolio
-Missing coverage of risk areas
-Strategy and
Performance Measures
aligned with Risk
Management
Directors should consider starting with some simple exercises to identify and understand
the organization’s strategic risks and the resulting composite risk profile. Some
organizations have used meetings of the board or with management to develop and
agree on a “top ten” list of strategic risks. Others have used their internal or external
auditors to assist them in developing and prioritizing lists of the key strategic risks.
Another good approach is to take the organizations strategic plan and “mirror” it with an
analysis of the risks associated with each major activity of the plan. To help frame such
discussions, some organizations find it useful to work off a framework, such as the
Return Driven Strategy, to give them a way to systematically work through the process.
The Return Driven Strategy framework defines a set of tenets and foundations which
fully describes the business strategy and activities that drive the best performing
companies in the world. Related to each tenet are risks that form a strategic risk
framework. This framework allows management and directors to hone in on key risks
that could destroy shareholder value while considering the upside risk in terms of
opportunities, thereby using it as a strategic risk management framework.
48

Once the directors and senior management have developed their initial set of strategic
risks, they should consider activities that will assist them to better understand the risks
and related mitigation activities. For example, a standing agenda item may be added to
their board or audit committee agenda for risk management. This time could be used for
more detailed presentations by management on how individual strategic risks that have
been identified are mitigated and monitored. For example, one audit committee
developed a template that business leaders use to develop presentations to discuss the
key risks in their businesses. The use of the template ensures consistency of the
presentations and keeps the discussions focused in the areas of highest interest. These
discussions include critical points such as;
1) How does the business make money?

2) What are the primary risks in the business in doing that?
3) What mechanisms are used to monitor the risks?
4) What are the risk thresholds or triggers that prompt action?
These types of presentations serve both to enhance the education and understanding of
the directors while bringing additional transparency to the organization’s risk
management processes.
49

Chapter 2
The identification of the key strategic risks also enables management and the directors
to move into the discussion and articulation of the organization’s risk appetite. The
Moody’s Special Comment highlights that, “ Best practice call for the risk appetite to be
clearly and explicitly identified in terms of the types of risks that the firm is ready to
retain and the total exposure it is comfortable with.” The discussion and setting of the
risk appetite can be both an enlightening and difficult corporate governance initiative.
We observe that too few organizations have gone through this exercise and have an
informed understanding of their risk appetites.
Risk management processes are those processes that an organization uses to identify,
mitigate and manage risks. Often, as organizations begin looking at their risk
management processes, they find that the processes are immature or informal. In these
situations, the COSO ERM Integrated Framework is a useful tool to help identity gaps
in risk management processes and opportunities to enhance existing processes. Again,
for those organizations just moving into risk management, a critical success factor is to
keep the processes and resulting reporting simple and understandable. As the
organization’s risk processes evolve, you can move to more complex processes and
reporting. In the beginning, simple exercises like compiling a list of the "top 10 risks
facing the organization" can an effective way to get the topic on the table. A periodic
meeting to review and update the list may also be an effective way to refresh the list and
expand the topics.
Directors should also consider where the risk management activities should be
conducted and what the right level of resources should be. Some use the audit
committee and seek to leverage the work of their internal and external auditors. Other
organizations have formed separate risk committees of the board, to take some of the
workload off the audit committee and facilitate a more in depth focus on risk
management. Management should also discuss with the directors how the risk
management process is structured and managed within the organization and whether a
separate ERM function is appropriate or if risk management can be conducted through
another corporate function. These discussions also should include how risk management
is handled or imbedded into the lines business activities, to create an entity wide risk
management culture.
Great Expectations
Directors need to challenge themselves and their organizations to move up the risk
management learning curve. The complexities of the world today and the “raising of the
bar” from a corporate governance standpoint will both demand that directors and
management devote more time and attention to risk management activities. There are
50

great expectations on the part of directors to manage strategic risks. However, while
the need is there to get moving, organizations need to acknowledge that they are moving
up a learning curve. "Keep it simple” is the rule of the day to get started. Directors will
need to focus their limited time on strategic risks, and ensure that the organization has
the necessary awareness and management activities around those key risks.
Continuing evolution of the process will ensure that expectations are met both internally
and externally as ERM increasingly takes hold.
Risk Management Guiding Principles

During our work in the Strategic Risk Lab with management teams and in conducting
research on risk management, we have identified certain principles that apply when
management teams are implementing risk management. These “Risk Management
Guiding Principles” are useful as background concepts and discussion points for teams
undertaking initiatives to implement or enhances their risk management activities.
Risk management in many organizations will

involve the board and management going up
both learning and maturity curves
• Learning curve about what is risk management, benefits, etc
• Maturity curve is where the organization is and wants to be
Organizations need to move up both curves to be

successful
Page 15
51

Chapter 2
The implementation or enhancement of risk

management processes are best approached
using incremental steps rather than trying to
make a quantum leap
• Gives people a chance to go up the curves
• Affords the opportunity to see benefits at each step
• Allows a phase-in of resources
Page 16
You can get started without adding

incremental resources
• CAE’s often serving as catalyst
• Committees may also be useful
Page 17
52

Board and senior management support is

probably the most critical key to successful
risk management
• Risk management increasingly acknowledged as a board

responsibility
• Doesn't mean board has to do this by themselves

• Management committee
• Board risk committee
• Management risk champion
Page 18
Risk management processes and information

flows must be transparent and inclusive
• “silos” noted in many studies as impeding successful risk
management
• Info sharing and flows may be most critical factor for some
organizations ability to avoid or minimize risks
• Organizations who say they “already manage risks every day…….”

rarely seem to have these transparent flows
Page 19
53

Chapter 2
Organizations need to recognize and leverage

their existing risk management processes,
even if very informal and disjointed
• Organizations may have more risk management processes in place
than they acknowledge
• Often “low hanging fruit” is leveraging and sharing existing
processes
• However, old adage that “We already manage risk every day we
operate!” is not adequate today
• Transparency is needed
Page 20
Risk management processes and practices are

continuing to evolve
• Verdict is still out on long term
• A lot of good information etc. keeps coming out
• ISO 31000
• Great opportunity for risk champion to assist the board and senior
management to keep up and exercise responsibilities
• Evolving environment again supports use of incremental steps
Page 21
54

The Return Driven Strategy Framework

This chapter presents an overview of the Return Driven Strategy Framework and its
relationship to strategic risk management.
• The Return Driven Strategy and Risk Management 56

• Article: “Return Driven: Lessons from High Performing Companies” 63
55

Chapter 3
The Return Driven Strategy and Risk Management
Rising Expectations
Enterprise risk management (ERM) has become top priority for directors and senior
management. In various ways, investors, regulators, rating agencies, employees and
corporate activists have all raised their expectations for organizations around how risk is
understood and managed. Rising expectations for better risk management are reflected
in a recent global survey of enterprise risk management in the insurance industry
conducted by PricewaterhouseCoopers which identified increasing stakeholder scrutiny
as a key driver in the recent development of enterprise risk management and noted that
the bar is set to rise further in coming years.29
These growing expectations also focus on more than just the general process of risk
management or general, legalistic risk discussions in financial disclosures. With the
recent major business failures, these expectations are more and more aimed at the core
issue of whether management and the directors understand fully and are managing
effectively the organization’s key strategic risks arising from the organization’s core
business strategy.
Responding to these expectations can take many different forms; from creating formal
enterprise risk management functions to more informal discussions and initiatives.
However, any initiative into the broad topic of “risk” has the possibility of literally
burying the participants with long lists of risks or events that the organization is exposed
to and blurring the focus of both management and the directors. Long lists of risks can
also mask those risks that are most significant to the organization and its ability to create
value for its stakeholders.

Increasingly, a new term, strategic risk management, is being used to describe those
activities that really deserve, and require, the attention of directors and senior
management. 30 Strategic risk management is the identification, mitigation and
monitoring of those risks arising out of the organization’s business strategies that are
most consequential to the organization and its shareholders. Focusing on strategic risks
serves as a filter for directors to reduce the breadth of the risk playing field and ensure
that they are focused at the right risks. The question often heard poised to CEOs
“What are the risks the keep you up at night?” is important to consider, but the real
danger is that executives may be worried about and focused on the wrong risks.
29
“Does ERM Matter?” Report by PricewaterhouseCoopers, June, 2008
30
“Beasley, Mark S. and Mark L. Frigo, “Strategic Risk Management: Creating and Protecting Value”
Strategic Finance, May 2007
56

The key to successful strategic risk management is the ability to identify those risks that
are embedded in the organization’s business strategy that are potentially the most
consequential. This linkage of business strategy to the resulting strategic risk is critical.
However, in some organizations, while it may be possible to identify strategic risks
simply through informal or formal discussions, that type of approach may be hit or miss
and leave open the possibility of missing a critical risk, creating dangerous “blind spots”
in risk monitoring and risk management. To better enable a holistic analysis of strategic
risk, a tool or framework that would facilitate the analysis, understanding and discussion
of critical strategic risks would be most helpful.
Return Driven Strategy is a proven framework that describes the pattern of strategic
activities shown to drive superior corporate performance. The framework has been used
and vetted by many organizations as an effective way to develop and analyze business
strategies. The key tenets and foundations of the Return Driven Strategy also can be
viewed from the perspective their associated risks. Each tenet and foundation presents a
type or types of risks that are related to that specific strategic activity. When viewed
through this lens, the result is a Strategic Risk Management Framework that mirrors the
Return Driven Strategy and can also be used to identify the strategic risks in an
organization’s business strategy. Beyond the identification of strategic risks, this
framework can assist in the articulation of the organization’s risk profile and risk
appetite. In fact, the first tenet of Return Driven Strategy, “ethically maximize wealth”
requires boards and management to define shareholder value creation objectives and
define an acceptable level of risk in doing so.31
This chapter presents the Strategic Risk Management Framework (derived from the
Return Driven Strategy framework) and demonstrates its use a tool for strategic risk
management.
The Strategic Risk Management Challenge

Boards and management are being challenged to identify and manage those risks that
are most consequential to their organizations; strategic risk management. A good
example is the recent announcement by Standard & Poor’s.32 In May 2008, Standard &
Poor’s (S&P) announced that they would begin applying enterprise risk analysis to
corporate ratings for non-financial companies. They indicated that their reviews would
predominately focus on the risk management culture and strategic risk management.
Regarding strategic risk management, S&P further indicated that they would explore;
31
Frigo, Mark L. and Joel Litman, Driven: Business Strategy, Human Actions and the Creation of Wealth,
Strategy and Execution, 2008 p. 29
32
Enterprise Risk Management: Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate
Ratings (May 7, 2008).
57

Chapter 3
Management’s view of the most consequential risk the firm faces, their likelihood
and potential effect of credit,
The frequency and nature of updating the identification of these top risks.
The influence of risk sensitivity on liability management and financing decisions;
and
The role of risk management in strategic decision making.
The critical nature of strategic risk management was also discussed recently in a speech
by then Governor of the Federal Reserve System Randall S. Kroszner in October of
2008. In his remarks, Governor Kroszner commented:33
“Risk management needs to be interwoven into all aspects of the firm’s business
and should be part of the calculus for all decision-making. Strategic decisions
about what activities to undertake should not be made unless senior management
understands the risks involved….”
Consistent with Governor Kroszner’s comments are findings in a recent issue of The
Bulletin, Protiviti listed as one of their “Ten Common Risk Management Failures,” not
integrating risk management with strategy setting and performance management. 34
According to Protiviti, “to avoid this failure, management should implement an
integrated approach and discipline to deploy strategy and manage the associated risks.”
The challenge then for directors and senior management, is to identify, among the
plethora of risks, those risks that are really strategic in exposure and are critical to the
success of the business. This challenge drives directly into the linkage and
understanding of an organization’s basic business strategy and the risks embedded in it.
Information Sharing
Another developing best practice, information sharing, was identified in a study entitled
“Observations on Risk Management Practices During the Recent Market Turbulence”
released by the Senior Supervisory Group (SSG) in March of 2008, identified effective
firm-wide identification and analysis of risk as one of four firm-wide practices that
differentiated performance.35 That study observed that, “…firms that performed well
33
“Strategic Risk Management in an Interconnected World,” speech by Governor Randall S. Kroszner of
the Federal Reserve System at the Risk Management Association Annual Risk Management Conference,
Baltimore, Maryland, October 20,2008
34
“Ten Common Risk Management Failures and How to Avoid Them” The Bulletin, volume 3, issue 6,
Protiviti
35
“Observations on Risk Management Practices during the Recent Market Turbulence,” report issued by
the Senior Supervisors Group, March 6, 2008
58

through year-end 2007 generally shared quantitative and qualitative information more
effectively across the organization.”
Transparency
A further part of this challenge is transparency; maintaining open and ongoing dialog
around these key topics. The SSG study also observed that in firms that experienced
greater difficulties, “….business line and senior managers did not discuss promptly
among themselves and with senior executives, the firm’s risks in light of evolving
conditions in the marketplace.”
To assist management and directors to address strategic risks, a framework that would
facilitate the identification, understanding and communication of the organization’s
strategic risks, would be valuable. Since the focus is on strategic risks, building a
framework off a business strategy framework would facilitate the direct linkage between
strategy and strategic risk.

The Return Driven Strategy framework is a hierarchy of strategic activities and
foundations based on the practices of the best companies in the world and described in
the book Driven: Business Strategy, Human actions and the Creation of Wealth. The
framework was developed based on an extensive, 10 years of research, screening of over
15,000 companies for 20-30 years of data and is based on three dimensions of
performance:
1. Superior and sustainable return on investment
2. Growth while maintaining superior return on investment, and
3. Superior total shareholder returns.
The Return Driven Strategy framework is composed of 11 core tenets and three
foundations that together form a hierarchy of interrelated activities that companies must
perform to deliver superior performance. The framework has been used by boards of
directors, executives, management teams and educators to assess and develop strategy,
communicate strategy, align and leverage execution frameworks and to manage risks.
59

Chapter 3
The Return Driven Strategy Framework and Strategic Risk

Each of tenets of the Return Driven Strategic framework can also be viewed from the
perspective of the risk associated with that tenet, in effect creating a risk hierarchy.
For example, a key supporting tenet is “Deliver Offerings.” Embedded in that tenet are
strategic risks such as operations or technology risks which would inhibit an
organizations ability to deliver its offerings. Using the Return Driven Strategy
framework in this manner, would allow an organization to first breakdown its business
strategy into their critical components and then assess the strategic risks associated with
each key tenet and foundation activity. The resulting Strategic Risk Management
Framework forces consideration of risk from the perspective of the organization’s
strategy and may help focus on certain risks that are not typically included in more
traditional enterprise risk assessments.
60

For example, to compete in the global market place, more and more organizations are
entering into new business combinations such as joint ventures or investments often in
developing countries. This approach may be core to the organizations future growth.
However, while much effort may be focused at the mechanics of structuring deals and
investments, the questions arise as to the organizations understanding of the related
strategic risks from these activities. The Strategic Risk Management framework
includes consideration of Partnering Risk would point to potential risks to the
organization arising from inappropriate, ineffective or unethical activities by its business
partners. These types of risk might not be identified in traditional risk assessment
processes. Further, the comprehensive nature of the Strategic Risk Management
framework facilitates an integrated look at the organizations strategic risks including the
identification and analysis of the interconnections and dependencies of the various risks
to each other.
Again, in our example, a joint venture may open markets and allow for competitive cost
structures, but the exposure the partner presents to brand, reputation, and the ethics of
the organization must also be considered as risks.
Linking Strategic Risk with Business Strategy

This strategic risk process then links the business strategy with its related risks and gives
management the ability to consider those risks in its strategic decision making process.
61

Chapter 3
The organization could then further tailor its own Strategic Risk Management
Framework and begin to formalize its strategic risk management process, including
consideration of the frequency of updating the strategic risk assessment. Combined, the
two frameworks form an effective tool to assess the organization’s strategy and the
embedded risks. Aligning the organizations risk appetite and strategy is a basic
component of Enterprise Risk Management as described by COSO. According to
COSO, “Management considers the entity’s risk appetite in evaluating strategic
alternatives, setting related objectives, and developing mechanisms to mange related
risks.”
Determination of Risk Appetite “Guiding Principles”
Risk
Risk Risk
Risk
Capacity
Capacity Appetite
Tolerance
Determination
of risk appetite
Risk
Risk
Profile
Profile
62

63

Chapter 3
64

65

Chapter 3
66

67

Chapter 3
68

Return Driven Strategy and Strategic

Risk Management
This chapter discusses in detail the Strategic Risk Management Framework and its
principal risk categories.
• The Strategic Risk Management Framework 70

• Article: Strategic Risk Management: Creating and Protecting Value 93
• Article: When Strategy and ERM Meet 101
• Article: Co-Creating Strategic Risk Return Management 106
69

Chapter 4
Strategic Risk Management36
The Strategic Risk Management Framework is derived from the Return

Driven Strategy framework. It displays the high-level strategic risks
inherent in each of the tenets and foundations of the strategy
framework. Using the two frameworks, an organization can first
breakdown its business strategy into their critical components and then
assess the strategic risks associated with each component. This process
links the assessment of strategic risks directly with the organization’s
strategy and can help focus on certain risks that are typically not
included in more traditional risk assessments.
36
From Frigo, Mark L. and Richard J. Anderson, Strategic Risk Management: A Primer for
Directors and Management Teams (2009) available for order online at
http://www.lulu.com/content/7245785. The book DRIVEN is available on Amazon.com
70

Return Driven Strategy and Strategic Risk Management
Management Tools for Strategic Risk Management
Return Driven Strategy Strategic Risk Management
The Strategic Risk Management Framework contains 11 strategic risk

categories that correspond to the 11 tenets of the strategy framework.
These risk categories build on top of 9 other risk categories that
correspond to the three foundations of the strategy framework. The
additional risk categories are necessary because of the breadth of the
three foundations of the strategy framework. For example, the
foundation tenet of Vigilance to the Forces of Change encompasses
sustainability risks, financial market risks, regulatory risks and the broader
category of emerging events.
Remember: Risk Elements are Interrelated

While the framework presents each risk area as separate and distinct, as
with the Return Driven Strategy framework, there are clear relationships
and linkages between various risk categories. For example, while
Partnering is a separate risk area, that risk can also arise in other areas
such as Operations. Several of the risk categories also highlight types of
strategic risks that are taking on increased levels of exposure as a result
of certain macro global trends such as off shoring and demographic
shifts. Finally, recent events, such as large losses in value as a result of
certain behaviors driven by short term incentive plans, are raising new
perspective on some of the more traditional strategic risks such as
Employee Engagement. Overall, the Strategic Risk Management
71

Chapter 4
Framework affords management and the directors a useful approach to

consider and focus on the specific strategic risk categories that may be
impacting their organizations.
We would now like to discuss each of the strategic risk categories in more
detail to demonstrate their applicability and usage.
Ethically Maximize Wealth
1-Investor Risk: The risk of loss of investors or shareholder

value because the organization does not
have an ethical culture or control
practices to protect and create
shareholder value.
Studies in support of the Return Driven Strategy have clearly reflected

that major ethical lapses cause significant loss of shareholder value.
Closely related to this risk is the risk to value if the reputation of the
organization suffers a significant negative event. The negative event
72

may be the result of an ethical lapse or the result of a failure in another

area that impacts the organization’s overall value. In either case, the
organization suffers from the lack of a culture that reinforces the
importance of ethical behavior and controls and responsiveness to
protect the organizations value and its reputation.
The importance of developing and maintaining an ethical culture as the

bedrock for protecting the organization’s value cannot be over
emphasized. As part of that culture, companies must consider and have
in place response plans to respond quickly and decisively to events that
threaten their ethics and reputation. In this regard, scenario analysis may
be a very useful tool in thinking through what the specific events are
which could trigger this type of risk and also the related responses.
In assessing its exposure to this type of strategic risk, the organization must
look objectively at itself and consider whether, in reality, it has
established and nurtured an ethical culture and not just mouthed the
words. The landscape is littered with failed organizations (think Enron)
that had written and published glowing statements on their ethics but
really did not come close to living the words.
Key Questions;
- Have tangible steps been taken to establish and communicate
the expected culture?
- Is ongoing training conducted to reinforce the ethical culture?
- Are surveys or assessments conducted to test the strength of the
culture?
- Has the organization conducted scenario analysis to identify
potential risk events?
- Are compensation and incentives aligned with protecting and
creating shareholder value?
- Are corporate governance and controls aligned with protecting
and creating shareholder value/
Second Tier – The Goal Tenets
2-Customer Risk: The risk that the organization loses its
73

Chapter 4
customers because it does not have

processes in place to continually research
and understand the current and future
unmet needs of the customers.
This risk manifests itself in organizations that are described as “losing

touch with their customers.” The risk results from the lack of formal
processes and data on the current and future needs of the customers. It
may also be apparent in organizations that are unable to precisely
define who their customers even are. In situations where a new strategy
is being deployed or new acquisitions considered, the strategic risk
assessment must include an articulation of who the customers are and
what their unmet needs are that would be addressed by the strategy or
acquisition. The fit or those new customers and needs with the
organization’s existing customers and needs is also a strategic question
and risk.
In many organizations, technology is deployed as a major enabler to

mitigate and mange this risk. Organizations also realize that this is a very
dynamic risk and managing it requiring constant attention and ongoing
processes.
Key Questions;
- Has the organization a clear understanding of who its customers
are and why they do business with the organization?
- Are processes in place to capture and analyze customer data?
- Does the organization have a view of what the current and future
unmet needs of its customer are?
- Is customer/need assessment a required part of any new strategic
initiative?
- To what extent do the company’s offerings fulfill otherwise unmet
customer needs vs. commoditized needs?
- Are customer needs being fulfilled by the organization increasing,
decreasing or stable?
74

Customer Risk
Definition
The risk associated with:

1. Losing market share
2. Losing share of wallet
3. Decreasing customer profitability
Customer Risk Characteristics
• Customer Priority Shifts

• Increasing Customer Power
• Over-reliance on a Few
Customers
Customer Risk - Example

De-Risk Moves Example – Winning Customers
• Understand and Create Differentiated
Customer Value
• Innovate Offerings
• Target Appropriate Customer Groups
Example – Losing Customers
Example – Cell Phone Handsets
• Motorola was largest provider –

invented cellular technology
• Slow to market with new products
• Focused on technology not “fashion &
features” when customers wanted
“fashion & features”
• Lost leader position to Nokia and LG
• Spinning off Cell Phone Group
3-Market Risk: The risk of loss of customers or failure at

attract customers because of the inability
to identify appropriate customer groups
or the inability to detect significant
75

Chapter 4
changes in the size or growth rates of

customer groups.
One of the major global trends affecting organization today is very

dynamic changes in the demographics of their customer bases. For
example, in the US, we are seeing the aging of the baby-boomers
coupled with the growth of Latino and Asian populations. On a global
scale, many organizations are seeing increased customer populations in
countries such as India and China.
The risk evident here is the inability to retain or attracted customers as

these demographic shifts occur. Strategies that are focused solely at
existing customers may present significant exposure to this risk. Clearly,
managing this risk requires an external focus and data to monitor and
get a picture of developing demographic shifts.
Key Questions;
- Does the organization have a demographic profile of its customer
base?
- Are processes in place to periodically update the demographic
profile?
- Is someone in the organization responsible to monitor
demographic data and shifts?
- Does the organization segment customer groups with similar
customer needs?
- Are the number of customers served by the organization
increasing, decreasing or stable?
- Does the organization monitor the factors that affect the ability of
customers to buy you offerings?
Third Tier – The Competency Tenets
4-Operations Risk: The risk that the organization’s processes,

operations and technology are
inadequate to efficiently execute the
strategy and deliver the offerings.
76

Operations risk is a widely recognized risk in many organizations. Often,

this risk monitored on a real-time basis through metrics such as error or
processing rates or systems metrics such as up-time. While these
monitoring activities are important, they may not address the strategic
aspects of this risk. For example, a new business strategy may anticipate
significant growth in customers but not have sufficient operating support
to deliver to those new customers. In some cases, investments in new
strategies are focused at marketing or acquiring customers without
sufficient investment in operational support.
In tough economic times, cost cutting initiatives can raise the profile of
this risk. For example, consolidating locations or suppliers may give rise to
increased exposure to this risk. Other areas where this risk has taken
strategic implications are current trends in outsourcing and off-shoring.
An organization may find itself exposed to significant operations for a
third-party risk as a result of these initiatives.
Accordingly, in strategic risk assessments, the ability of the organization to

understand its exposure to this risk on both strategic and tactical levels is
critical. Both levels require detailed assessment, mitigation and
monitoring processes.
Key Questions:
- Is someone in the organization responsible for monitoring
Operations Risk?
- Are operating metrics and processes in place to monitor the
quality and efficiency of operations?
- Has the organization assessed its operational exposure to third-
parties?
- Are trigger points in place to identify potential problems as they
develop?
- Are appropriate contingency and back up plans in place with key
operations and suppliers?
5-Innovation Risk: The risk of loss of customers or market

share because of the inability to innovate
new offerings.
77

Chapter 4
Clearly the inability to innovate offerings is major strategic risk. However,

monitoring and mitigating this risk may be more complicated than one
might think. Truly innovated offerings and services are end products.
Accordingly, simply measuring R&D spending is not sufficient to address
this risk. The organization must determine what innovating really means
to them in end products and establish monitoring processes accordingly.
This does not mean that the organization will not have some mistakes or
failures as it innovates offerings. However, the organization must have
processes in place to measure and monitor its overall success with
innovation.
Key Questions;
- Does the organization define its innovation activities?
- Is someone in the organization responsible to monitor and report of
innovation activities?
- Are processes in place to monitor and report on innovation
activities?
- Does the organization monitor the innovation activities of its
competition?
- Does innovation focus on changing the entirety of the offerings to
better fulfill customer unmet needs?
- Does the organization have the capabilities to co-create offerings
with customers and suppliers?
6-Brand / Reputation Risk: The risk to shareholder value because of

the inability to correctly brand the
offerings or to protect the brand and the
organization’s reputation once
established from negative internal or
external events.
We view brand risk as more closely related to an organizations offerings

and customers, while reputation risk encompasses the overall
organization. Often, an organization realizes that its brand or brands are
significant assets and the risk is the loss of value to that asset because of
a negative event. Organizations also realize that exposure to this risk is
not just because of a negative event, often the risk relates to the
timeliness of actions in response to an event that threatens the brand.
78

The Tylenol case is often cited as an example where timely action

protected a valuable brand.
Reputation risk also has an extremely wide impact in terms of the

stakeholders it can affect. Beyond investor stakeholders, loss of
reputation can impact the organization’s employees, suppliers,
customers, and virtually any other stakeholders of the organization.
Brand risk is another category where scenario analysis may be a useful

tool for risk assessment. Brainstorming sessions to consider possible events
that could negatively impact the brand may be useful to both assess the
risk and also develop action plans to respond to brand threats. Scenario
brainstorming should also be very broad and consider both internal and
external events. Here again, the organization may incur risk through
strategic initiatives such as outsourcing or off-shoring of its suppliers or
manufacturers.
Key Questions;
- Is someone in the organization responsible for monitoring and
protecting the brand?
- Is an executive responsible for reputation risk?
- Are actions plans in place to respond to events that threaten the
reputation?
- Has the organization assessed the exposure to its brand from third-
parties?
- Have scenario analysis been conducted to identify possible threats
to the brand?
- Are action plans in place to respond to events that threaten the
brand?
- Does the organization continually monitor its reputation and
brand?
- How well is the brand of the organization make the connection
between your offerings and your customers’ otherwise unmet
needs?
Fourth Tier – The Supporting Tenets
79

Chapter 4
7-Partnering Risk: The risk to the value of the organization

arising from inappropriate, ineffective or
unethical activities by its partners.
As previously noted in some of the tenets above, many organizations are

facing increased risks as a result of various partnering activities being
conducted with third-parties. While the concept of partnering is not new,
certain partnering activities are now being undertaken as part of an
organization’s core business strategies and accordingly have a much
higher level of strategic importance. Examples of these include
outsourcing information technology, off shoring of major processing and
accounting activities, outsourcing manufacturing or large joint ventures.
The risks associated with certain of these activities have become more
evident lately. For example the well publicized problems the certain US
companies have encountered as a result of the use of lead paint by their
suppliers in China.
Often, these strategic partnering activities are being undertaken with the
objectives of reducing the organizations cost structures by moving
processes to either lower cost locations or having the process performed
by third parties who specialize in the activities as a core competence.
When seeking these cost advantages, organizations must also consider
carefully the risk implications of the partnering initiative and how those
risks will be monitored and mitigated. These types of risk may include
both the activities of the third-party, as well as the dependencies the
organization has with that third party. Clearly, a lower cost structure that
significantly increases an organization’s risk profile is not desirable.
Contingency planning is a critical aspect of mitigating this risk. As an

organization’s dependency on any third party increases, so does its
needs to have contingency and back up plans in the event that that
third party is unable to perform up to the expectations or contractual
requirements of the arrangement.
Timing is also a critical factor in addressing this area of strategic risk. The
risks, monitoring and mitigation activities must be considered and
addressed during the negotiating phase of a relationship. Once the
80

relationship is formalized in a contact, it may be very difficult to go back

and require the third party to performed needed monitoring or reporting.
This is an excellent example of why strategic risk management needs to
start with the planning process.
Key Questions;
- Has the organization identified all its key strategic partners?
- Are appropriate performance monitoring and measurement
processes in place to monitor the performance of third-parties?
- Do contracts appropriately address the performance criteria
including unethical activities that are required from third-parties?
- Are contingency plans in place for each strategic partner?
- Is an assessment of Partnering Risk required for any proposed
initiative with a new strategic partner?
8-Value Chain Risk: The risk to the organization from the failure
or inability to perform by any key element
of its value chain.
The failure of any key element of its value chain is a clear strategic risk.
For example, the failure of a key supplier in the supply chain can expose
the organization to a significant loss of business. Or, poor or even
negligent or illegal activities by a key supplier can also have a huge
negative impact on the organization.
Another element of this risk can be the lack of efficiencies in the value
chain. Today’s global marketplace, with its ability to shift processes to
lower cost environments, has placed an increased premium on cost
effectiveness and accordingly, the risk associated with it.
Mitigating this risk also involves maintaining an appropriate balance with

other tenets such that the quest for cost efficiencies does not simply
trump all other tenets. Cost effective processes must still be able to
achieve the organizations strategic goals and tenets.
The organization must also consider both the internal and external
elements of its value chain including not only its core operating
81

Chapter 4
processes but also support functions such as, finance, control or legal.
Key Questions;
- Are appropriate processes in place to monitor performance
across the organization’s value chain and supply chain?
- Are appropriate back up plans and redundancies in place for key
elements of the value chain?
- Does the assessment process for cost cutting initiatives include
assessment of the impacts on other strategy tenets?
- Is there an ongoing, continuous improvement process to ensure
that operational processes are reviewed to increase their
efficiency?
9-Employee Engagement Risk: The risk that the organization is unable to

execute the strategy because of the
inability to attract, retain, compensate or
otherwise appropriately engage its
employees.
Human resources risk is another area where an acknowledged,

traditional risk category has taken on much more strategic implications in
recent times. The ability to attract and retain talent has long been a
critical factor and risk in any organization’s ability to execute its strategy.
While this continues to be the case, two additional areas are presenting
increased risk to organizations related to engaging their employees.
The first of these areas is the risk of being unable to attract or manage a
more diverse workforce in the face of changing demographics. In the US,
as the baby boomer population moves into its retirement phase,
organizations will increasing be unable to rely on their traditional
methods of attracting talent. They will be faced with the challenge of
attracting and then managing a more diverse workforce in order to fill
their human capital needs. There simply will not an adequate supply of
traditional talent.
A related trend is the move to more global operating models. This

necessitates that organizations develop the ability to attract and
manage global workforces. This can create strategic risks in that the
82

labor pool in some countries may not have the risk and control
orientation and education that is expected.
A second area of employee engagement risk that has become more

evident is the risk imbedded in management compensation and
incentive plans. Recent events in some companies have highlighted the
risks that some incentive these plans not be aligned with the
organizations long term goals. Further, some plans may drive activity that
presents significant strategic risk to the organization, as evidenced by the
huge loss in value at certain financial services companies where
executives were highly compensated for creating and trading highly
complex derivates instruments.
Key Questions;
- Is an executive of the organization responsible for overseeing
Employee Engagement Risk?
- Are appropriate processes in place to monitor this risk?
- Are benefit and compensation plans reviews for consistency with
the organizations strategic goals and objectives?
- Do the employees understand the strategy of the organization and
how they contribute to achieving it?
- Does the organization have the right incentives to create
alignment between employee engagement and the
organizations’ strategy?
- Does the organization provide growth and development
opportunities for its employees that enhance employee
engagement toward achievement of the organizations’ strategy?
10-Planning Risk: The risk that the organization is unable to

appropriately respond to unanticipated
changes impacting its strategy because
of the lack of flexibility or options in its
planning processes.
Put simply, this risk emphasizes the point that strategies need both
monitoring and “Plan B’s.” Monitoring is addressed more specifically as
one of the foundations. The focus with Planning Risk, is the need for
alternatives or contingency plans to address unanticipated changes
83

Chapter 4
impacting the strategy. As generals are aware that battles are rarely
fought exactly as they had planned them, so too, businesses need to
consider the risk that their strategies will not be implemented exactly as
planned. Mitigating this risk is also a pro-active not a reactive situation.
Businesses need to consider and think through options before events
place them in a situation where they do not have luxury to think but are
in a critical reactive stance.
Planning Risk is also focused on options and responses, not necessarily

trying to anticipate every event that could impact the strategy. It is
really focused at having alternatives and options. Conversely, the
absence of any “plan B” options or contingency plans may be evidence
that this risk has not been considered and addressed.
Key Questions;
- Does the organization’s strategic planning process require the
presentation and inclusion of options and alternatives?
- Does the strategic planning process include periodic assessments
to identify and respond to unanticipated events?
- Does the organization have new options in the pipeline to support
future growth?
11-Communication Risk: The risk that the organization is unable to

design or execute two-way
communications strategies with its
stakeholders, employees and customers
that build a common understanding of
the organization’s culture, strategy and
offerings.
Common understanding of expected culture, strategy and offerings is

another necessary ingredient for successful strategy. Particularly in the
area of culture, communications and understanding is critical.
Communications also plays a key role in strategy implementation as it is
one of the principal change management techniques used in
implementing significant changes. Management and the directors may
have a clear understanding of the culture and strategies they are
implementing, but without effective two-way communications, the risk
84

increases that they will not be successful as employees, customers and

others may not understand and align around the expected strategies.
The organization also needs to consider external communications to

customers and other external stakeholders. Customers in particular need
to understand how new strategies will be responsive to their needs.
Other external stakeholders such as regulators or rating agencies also
need clear and effective communications of the organization’s
strategies and culture.
Key Questions;
- Are appropriate ongoing communications conducted to
communicate and reinforce the organization’s strategy and
culture?
- Do communications processes support effective two-way
communications?
- Are communications processes broad enough and include
appropriate external stakeholders?
- Does the organization test or assess the effectiveness of its
communication’s processes?
- Does the organization have a consistent internal and external
message which reflects its core values and strategy?
- Does the organization monitor when and how it is being
mentioned in the press and Internet, including social networking
platforms and Blogs?
- Does the organization proactively communicate its brand and
core values?
- Are investor relations activities aligned with drivers of strategic
valuation (return on invested capital; capital efficient profitable
growth)?
The Foundations
Genuine Assets
A-Genuine Assets Risk: The risk of the loss of value because of the
inability to create, protect and grow the
85

Chapter 4
organization’s genuine assets.
Organizations typically are concerned about the risk of loss of assets,

particularly through fraud. However, this concern is usually focused at
financial statement assets, which may not include significant genuine
assets of the organization. Management and the directors need to
understand the definition and strategic importance of the organizations
genuine assets. Or in the case of new strategies, what genuine assets
are being developed or grown as an objective of the new strategy.
Management of this strategic risk then must start with a clear

understanding of what the organization’s genuine assets are. It may be
a very beneficial exercise for the organization to define its genuine
assets, as compared with its financial assets, and then consider how its
genuine assets are protected and grown. The organization may identify
significant exposure in certain of its genuine assets that are not protected
by the same level of controls as certain of its financial assets. For
example, an organization may decide that it has market or customer
data that are genuine assets but find that the data has a much lower
level of security and protection than some of its financial data this is not
as valuable.
Key Questions:
- Has the organization defined and inventoried its genuine assets?
- Has the organization assessed the adequacy of its controls to
protect its genuine assets?
- Has the organization identified genuine assets to grow or create as
part of its strategies?
Vigilance to Forces of Change
B1-Emerging Events Risk: The exposure presented because of the

inability of the organization to identify or
correctly size emerging internal or external
events.
Recent history has witnessed a number of large scale events that have
had significant negative impacts on organization. Some of these events
86

have been situations where their probably of occurrence would have

been considered very low, however, their impacts were not only
significant but, in some cases, catastrophic to the organization. This has
pointed to the need for ongoing processes to identify, assess and
respond to emerging risks.
In implementing or executing its strategy, an organization must consider

more than just financial performance measures to understand the
ongoing performance of its strategy. Forward looking processes must be
in place to enable it to consider change events, both internal and
external, that would give rise to risks to the organization and its strategy.
In particular, the processes must consider the possible impacts of external
events and systemic events that are beyond the control of the
organization.
Key Questions:
- Are ongoing processes in place to identify emerging risks and
events?
- Is someone in the organization responsible to monitor emerging
risks?
- Are policies and practices in place to encourage information and
knowledge sharing across the organization to help identify
emerging risks and events?
- Are executive management and directors periodically informed or
emerging risks?
B2-Financial Market Risk: The risk that the organization is unable to

execute its strategy because of the
inability to access capital or cash.
Exposure to financial market risk is a more traditional strategic risk facing

organizations, particularly those dealing with financial instruments.
However, here again, recent history has included systemic and in cases,
seismic events in financial markets that are unprecedented. For
example, the loss of liquidity in the credit markets as banks responded to
unprecedented stress in their portfolios.
While many organizations have well developed treasury functions that
87

Chapter 4
are constantly monitoring this risk, an organization must consider and

develop response plans to both expected and unexpected levels of this
risk. For example, how would they access cash or capital if their
traditional banking lines were frozen?
Key Questions;
- Are processes in place to effectively monitor exposure to financial
market risks?
- Is someone in the organization responsible for monitoring and
managing Financial Market Risk?
- As appropriate analytical tools and techniques utilized to monitor
this exposure?
- Are appropriate action plans in place to respond to events in the
financial markets that threaten the organization’s ability to
execute its strategy?
- Has the organization considered exposure to systemic market
disruptions?
B3-Sustainability Risk: The risk that the organization is unable to

continue to execute its strategy because
of the lack of sustainable processes and
operations.
Sustainability may be one of the newest areas of strategic risk for many
US companies. In some other parts of the work, Europe for example,
sustainability has been an issue and risk for a longer time. However, in
the US, sustainability is growing in importance as a key issue with various
stakeholders, particularly customers.
Because of its newness, this is another risk area where it may be

necessary as a first step to develop a definition and view on their risk
area within an organization. It may be beneficial to conduct an
assessment or inventory to identify where the risk may currently present in
the organization or its strategy. This knowledge may then be used to
consider where, on a more forward think basis, the risk may be or
develop in new strategies or initiatives.
Key Questions:
88

- Has the organization assessed its exposure to corporate

sustainability?
- Does the organization have corporate sustainability strategic
objectives?
- Is someone in the organization responsible for monitoring this risk?
- Is the organization effectively monitoring new developments and
processes in sustainability?
B4-Regulatory Risk: The risk that regulatory or legislative

changes will inhibit the organization’s
ability to achieve its objectives.
Organizations today only operate in an environment with a significant

amount of regulatory and legal requirements. Further, the pace of
change and the breadth of new regulations appear to be increasing.
Coupled with this pace of change is the increased aggressiveness of
various state, federal and regulatory organizations in policing and
litigating infractions. Accordingly, it is imperative for the organization to
be vigilant for changes to regulation that can impact them and also
vigilant in operating in compliance with new laws and regulations. The
potential magnitude of possible actions and sanctions has raised this risk
to the level of a strategic risk.
Key Questions:
- Does the organization maintain a current inventory of legal and

regulatory requirements?
- Does the organization have a process to monitor possible new laws
and regulations?
- Are regulatory exposures assessed as part of any new strategic
initiative?
- Does the organization have a process in place to notify
appropriate management and directors and respond
appropriately to any potentially significant legal or regulatory
matter?
Disciplined Performance Measurement & Valuation
C1- Governance Risk: The risk of loss of assets or exposure to

legal or regulatory actions because of the
89

Chapter 4
lack of appropriate and effective

governance, legal, control or risk
management processes and practices.
A number of recent events, including major frauds, systemic risks, and the
changing legal and regulatory environment have combined to raise the
level of governance risk in many organizations. Investors, regulators, and
other third parties, such as rating agencies, are also seeking more
transparency around risk, control and governance processes. In the US,
the Sarbanes-Oxley Act has raised the focus on financial controls, but
recently other risk and control areas such as enterprise risk management
are receiving increased attention.
More specific to strategy, there is an increased focus on strategic risk

management by directors, shareholders and rating agencies. Good
governance practices must include the identification, monitoring and
mitigation of risks imbedded in business strategies or strategic initiatives.
Organizations must also have sound and appropriate governance
processes to enable achieve of their strategic objectives.
Addressing this risk area may also begin with an assessment or inventory
of exactly what the organization’s key governance processes are across
the down through the organization.
Key Questions;
- Has the organization defined its governance processes and
activities?
- Has the organization assessed the adequacy of its governance
processes?
- Are processes in place to identify and consider developing
practices in corporate governance?
C2-Financial Reporting Risk: The risk of loss of value or reputation

because of inaccurate or fraudulent
financial reporting.
Addressing financial reporting risk was the primary objective of the
90

Sarbanes-Oxley Act. Public companies who report under the

requirements of that act have been required to put processes in place to
both assess and report on the adequacy of their financial controls over
this risk. External auditors have also been required to revise their auditing
processes to place increased focus on this risk.
For many organizations, complying with the requirements of SOX has

been a very costly and time consuming undertaking. But, as a result of
these efforts, this area of strategic risk in most public companies has
received the most attention and is quite possibly in the best shape. The
challenge for companies going forward is to sustain the effectiveness of
these financial controls as SOX compliance continues to be made more
routine.
Key Questions:
- If the organization reports under the Sarbanes-Oxley Act are
management and the directors satisfied with the effectiveness and
operations of the compliance efforts?
- If the organization does not come under SOX, has management
and the directors considered how to assess and monitor financial
reporting risks?
- Do the directors periodically receive information from the
organization’s external auditors on their views of the organization’s
controls over financial reporting?
C3-Valuation Risk: The risk of loss of value through

inappropriate or erroneous models
and valuation techniques.
Increasingly, organizations are utilizing various types of models to

generate both financial information and critical management
information. Typically these include valuation and risk models for certain
types of derivative financial instruments, credit rating and exposure
models, loss projection models and other types of statistical models. It
has also become apparent that in certain organizations, the level of
91

Chapter 4
exposure present by inappropriate or erroneous models was much higher

than anyone anticipated. It may also be an example of a type of risk
where there are very few individuals in an organization who have the
technical skills and knowledge to understand fully the workings of models
being used.
As a starting point, some organizations have found it useful to undertake
an inventory to identify their inventory of models and types of exposures
that are being impacted. Here again, the organization must consider
risks in more than just the financial areas and consider where else critical
decisions or performance assessments are being driven or impacted by
mathematical models.
Key Questions;
- Hs the organization conducted an inventory to identify all critical
models and valuation tools?
- As policies in place requiring appropriate independent validation
of key models and tools?
- Have appropriate staff reviewed and approved the key
assumptions in the models?
- Do policies require appropriate controls over modifications and
generation of new tools?
C4-Fraud Risk: The risk of loss of genuine assets because

of internal or external fraud.
Here again is an example of a more traditional area of risk that has taken
on more strategic implications. Traditionally, fraud risk has been viewed
by many as more or an operational or transaction related risk. However,
recent history has revealed a number of financial frauds of a size and
magnitude that they destroyed entire entities. World Com and Enron are
examples of this type of situation. As a direct result of those frauds, US
public companies who are reporting in accordance with the Sarbanes-
Oxley Act, must conduct a fraud risk assessment. Accordingly, Fraud Risk
must be considered as a strategic risk with potential to impact
shareholder value.
Fraud risk must also be assessment broader than just the financial fraud
implications. To assess its exposure to various types of fraud, an
92

organization should utilize scenario analysis to think through possible

internal and external fraud schemes. The organization should also
consider the impact of macro trends such as globalization for this area.
In this regard, information such as various corruption indices published by
Transparency International may be useful in assessing an organization’s
exposure to fraud risk in certain countries.
Key Questions:
- Has the organization conducted a comprehensive fraud risk
assessment, or reviewed fraud assessments conducted by its
internal or external auditors?
- As appropriate processes in place to allow employees and
customers to communicate concerns about possible frauds, for
example whistleblower hotlines?
- Are processes in place to ensure that investigations of suspected
frauds are handled by appropriate parties?
- Is the organization in compliance with the requirements of
significant legal requirements such as the Foreign Corrupt Practices
Act and the Federal Sentencing Guidelines?
Strategic Risk Examples
The following examples show the relationship between the tenets of Return Driven
Strategy and associated Strategic Risk.
93

Chapter 4
Examples of the linkage

between tenets and risks
Ethically maximize wealth Investor risk
• Define wealth explicitly on terms of Loss of investor or shareholder
monetary goals, timetables, and value because of ;
acceptable risk levels • Compensation and incentive
• Commit managers to wealth creation plans are not aligned with
as defined, and align the entire protecting and creating
organization’s plans and activities shareholders value
toward the wealth-creation goals
• Accounting irregularities or fraud
• Create an ethical culture and operate
within the ethical boundaries of the • Unethical or illegal business
communities served – as those practices
communities would define, or all • Major recalls of dangerous
wealth potential is put at unnecessary products
risk
• Inappropriate or illegal executive
actions

Fulfill otherwise unmet
customer needs Customer risk
• Identify – and have a process for • Loss or revenue or margin because of
continually identifying – exactly what the inability to retain a niche market
needs cause customer to buy • Loss of revenue because of the
• Identify – and have a process for inability to anticipate niche needs
continually identifying – what • Unsuccessful investments as a result
customers would buy if it were of creating and attempting to sell
available, but cannot. offerings that the customer base
• Be vigilant to forces of change which does not want
affect customer needs, customer • Unsuccessful investments because of
perceptions of their needs, and the inability to identify unmet needs of
ability to gather information about new customer base or fit into existing
those needs. Adjust to these changes, offerings
even radically when necessary
94


Partner Deliberately Partnering risk
• Consider a wide range of potential • Loss of revenue because of significant
partnerships and be creative in failure in the supply chain by a
developing new types of strategic partner
relationships that can support the • Damage to reputation and value
competencies of the firm because of ethical , legal or
• Deliberately choose partners based regulatory matters of a strategic
on an assessment of the Genuine partner
Assets brought by each partner and • Losses due to fraud on the part of a
how that can help the firm to build strategic partner
unique offerings as the competency • Loss of intellectual property or
tenets require proprietary processes because of
• Create performance measures that theft by a strategic partner
bring incentives to the partners that • Issues because of accounting
support the business strategy. irregularities by a strategic partner
• Contractor challenges
3

Engage Employees and Others Employee engagement risk
• Realize the existence of the complete • Losses in revenue or opportunity
end-to-end employee life cycle, losses because of;
including firm awareness and – Inability to attract and retain talent
recruiting at one end and alumni or – Inability to attract a global workforce
eve customer status at the other end – Inability to provide the right incentives
of the cycle • Increases in expenses for hiring or for
• Create incentives, compensation third parties because of the inability
plans, and other offerings throughout of in-house employees to execute the
the entire employee life cycle that strategy
will create employee engagement • Loss of investment and capital
toward the firm’s goals because of the lack of an adequate
• Create performance measures that workforce to execute the strategy or
are aligned with the achievement of staff growth plans.
the higher tenets • Loss of key employees to competitors
95

Chapter 4
96

97

Chapter 4
98

99

Chapter 4
100

101

Chapter 4
102

103

Chapter 4
104

Chapter 4
105

106

Chapter 4
107

108

Chapter 4
109

110

Chapter 4
111

112

Chapter 4
113

114

Chapter 4
115

116

Chapter 4
117

Conducting a Strategic Risk Assessment

This chapter presents a basic step-by-step approach to conducting a Strategic Risk
Assessment.
• Strategic Risk Assessment: A first step for improving risk management and
governance 116
• High-Level Work Plan for a Strategic Risk Assessment 125
118

Conducting A Strategic Risk Assessment
119

Chapter 5
120

121

Chapter 5
122

123

Chapter 5
124

125

Chapter 5
126

127

Chapter 5
High-level work plan for a

Strategic Risk Assessment
1- Project plan and scope definition
a. Identify project owner and executive sponsor

b. Develop overall project objectives
i. Identify resource requirements’
ii. Identify budget requirement
iii. Identify staff support
c. Develop initial project plan, objectives, timelines
i. Determine format and timing of periodic project status updates
ii. Obtain approval for plan
d. Conduct initial meeting with project plan sponsor and staff participants
e. Brief senior management and board on project and objectives
2- Understand the strategy
a. Obtain current company information of risk

i. Internal information
ii. Publically disclosed information
iii. Peer company information
iv. Public data search
b. Review the Return Driven Strategy framework
i. Classify current information in the framework
3- Data gathering
a. Consider how to use the RDS and SRM frameworks during stakeholder
data gathering
i. Determine format of data gathering from participants
ii. Develop interview briefing materials or surveys as appropriate
b. Determine stakeholder participants
i. Schedule stakeholder activities
c. Determine format for data capture and analysis
d. Execute stakeholder data gathering
e. Compile stakeholder data
128

4- Prepare the preliminary strategic risk profile
a. Using the RDS and SRM frameworks, classify risk data

b. Determine format for strategic risk profile
i. Consider factors such as impact, probability, velocity,
preparedness
ii. Consider graphical presentation
iii. Consider preparing alternate presentations
c. Complete the preliminary strategic risk profile
i. Circulate and validate within the project team
ii. Finalize preliminary strategic risk profile
5- Risk profile validation
a. Identify stakeholder participants for validation

i. Determine approach for validation
b. Conduct validation
i. Capture input and reactions to profile
ii. Revise profile as appropriate
c. Complete profile package and presentation
6- Action plan development
a. Convene or form project team for action plan development

b. Consider completion of Strategic Risk Alignment Guide
i. Identify gaps or areas of focus and develop actions to close
c. Consider completion of Strategic Risk Maturity Diagnostic
i. Determine current state and desired next state
ii. Develop action steps to achieve next stage
d. Consider other areas of possible focus
i. Risk mitigation activities
ii. Risk monitoring activities
iii. Ongoing risk reporting
iv. Education activities
v. Ongoing process for identifying emerging risks
vi. Ongoing update process for strategic risk profile
vii. Senior management and board reporting
129

Chapter 5
7- Communications
a. Identify any additional staff or areas needed for this step

b. Identify groups to be communicated to;
i. Senior management and directors
ii. Line management
iii. Risk and control functions
iv. External constituents
c. Determine the message and appropriate level of detail for each group
d. Determine the core message
e. Develop an ongoing communication process
8- Plan execution
a. Develop project plans and milestones for action plans

i. Identify owner of each action initiative
b. Execute action plans
c. Implement appropriate monitoring and status reporting
9- Project follow up
a. Conduct follow up assessment of project including lessons learned

b. Assess whether overall objectives were met
i. Assess value added by project
130

131

Strategic Governance, Risk and Compliance

(GRC)
This chapter introduces a Strategic Framework for Governance, Risk and Compliance
(GRC) and details a 10 step approach to implementing the framework. The chapter also
discusses the benefits that can be obtained through GRC and its linkage to value
protection.
• Article: A Strategic Framework for Governance, Risk and Compliance 130

• Article: Strategic GRC; 10 Steps to Implementation 133
• Governance and Risk Terminology 140
132

Strategic Governance, Risk and Compliance (GRC)
133

Chapter 6
134

135

Chapter 6
136

137

Chapter 6
138

139

Chapter 6
140

Strategic Governance, Risk & Compliance Framework
VALUECREATION & PRESERVATION
Overall Policy and

Risk Appetite Set by ENTERPRISE RISK POLICY
Board and Executive & RISK APPETITE
Management Policy establishes:
F
I C I I
N O N N - Common Goal of
S Managing the
L T M F. A OrganizationsRisks
A
E P N
F - Risk Framework
G A L T C
E • Expectation of
A U A E E Working
T Relationshipsand
L D I C
Y Knowledge Sharing
I N H S • Role of Each
T C O Function
E X • Foundation for the
“Risk Culture”
RISK ASSESSMENT
EMERGING RISK INDENTIFICATION
RISK/ CONTROL MONITORING (KRI’s)
2
© Copyright 2009 by Mark L. Frigo and Richard J. Anderson
Common Goals for GRC;

ENTERPRISE RISK POLICY
& RISK APPETITE
-Focus on strategic risks to
shareholder value Typically this
F has been the
-Risk appetite I C I I “missing
N O N N link” or glue
-Establish enterprise-wide
L T S for
perspective and risk language M F. A
A successful
E P N
-Foster a mindset of sharing; G A F GRC
L T C
- technology E
- information A U A E E
L D T
- investments I C
Y
I N H S
- Maintain and respect unique
roles and skills T C O
E X
RISK ASSESSMENT
© Copyright 2009 by Mark L. Frigo and Richard J. Anderson 26
141

Chapter 6
Each Risk and ENTERPRISE RISK POLICY

& RISK APPETITE
Control Function
Continues To F
Execute Its Unique I C I I
Role as Part of a N O N N
S
Fully Integrated L T M F. A
A
Effort with a E P N
F
Common Goal to G A L T C
E
Manage The A U A E E
T
Organization’s Risks L D I C
Y
I N H S
T C O
E X
RISK ASSESSMENT
3
© Copyright Mark L. Frigo 2008 - Do not copy or redistribute without express written consent of Dr. Mark©L.Copyright
Frigo 2009 by Mark L. Frigo and Richard J. Anderson
ENTERPRISE RISK POLICY

& RISK APPETITE
F
I C I I
N O N N
L T M S F. A
E P A N
G A L F T C
A U A E E E Other common
Functions identify T
L D I C processcould
and leverage Y
I N H S include;
common
T C O -Technology
processes,
E X -Issues tracking
technologies and
-Reporting
knowledge RISK ASSESSMENT
-Training
4
© Copyright 2009 by Mark L. Frigo and Richard J. Anderson
© Copyright Mark L. Frigo 2008 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
142

Chapter 6
Governance and Risk Terminology

By Mark L. Frigo and Richard J. Anderson
One of the results of the recent financial and economic turmoil in the US, has been a
growing focus on corporate governance and its related processes, capabilities and
functions. Directors, senior executives, risk and control managers, consultants and
various vendors are all dealing with various aspects of the corporate governance. In
particular, risk management and the theories, processes and tools related to it are
receiving significant attention. While not necessarily a new concepts, the current
heightened focus on these governance activities has created its own lexicon that is
leading to some confusions and misunderstandings. In some cases, new terms such as
“GRC” have arisen, without clear and consistent definitions. Some older terms, such as
“ERM” and “risk management” likewise have become the source of some confusion.
This article will attempt to clear up some of that confusion and give executives a
common base of understanding for this new governance terminology. Let’s start with
governance and “GRC.”
What is Governance and GRC?

The concept of corporate governance is certainly not new. There is a long history and
legal precedence for an organization’s governance activities. What is new, is the
heightened focus that many organizations are placing on their governance activities.
While the recent economic turmoil has raised the intensity of this focus, other events
over particularly the past decade have been focusing in this direction. Concern with
compliance with regulatory matters such as the Foreign Corrupt Practices Act (FCPA)
and financial regulations such as the Sarbanes-Oxley Act, have caused many
organizations to expand their various risk and control functions. For example, many
organizations formed “Sox compliance” or control units to handle their compliance with
Sarbanes, while others expanded their legal or compliance functions to address FCPA .
Many of these initiatives were also happening in roughly the same timeframes. As a
result, the total cost of compliance and control in many organizations has been
increasing as is the time and effort being devoted to these activities by business units.
As a result of this situation, various initiatives started to develop with an intention to

reduce the total costs of compliance by working across an organization’s governance,
risk and compliance to increase efficiency and effectiveness. This spawned the term
“GRC” which is come into increasingly common use, particularly by consultants and
vendors. However, there is not good universal understanding of the term or its
objectives. In some cases, the “GRC” term is associated with various technology tools,
designed to assess risks or conduct automated tests of controls. In other cases, the
143

Chapter 6
“GRC” label is attached to a unit within the organization that is conducting controls
testing across the organization.
GRC should be really be viewed as a holistic approach or framework, intended to enable

a look across an organization’s various risk and control units to align their unique roles
around common objectives (e.g. protecting shareholder value) and then leverage
common processes and knowledge to increase their efficiency and effectiveness. For
example, an organization may have multiple risk and control units each conducting
separate risk assessments. Under a GRC framework, risk and control units would follow
the same approach, terminology and possibly conduct a single risk assessment process,
which is then used by all the units.
GRC is a way to address the “silos” that have developed in many organizations’ risk and
control units. However, it should not be viewed as an organization chart and is also not
simply a technology exercise. Technology may be an important enabler to affect the
leveraging of certain process and knowledge to realize the benefits of GRC, but it is
much more than just a technology effort. The Strategic GRC Framework, which was
presented in Strategic Finance in February, 2009 displays a frame work that is useful in
explaining these concepts. Executives are cautioned not to just purchase a “GRC tool”
or undertake a GRC initiative without a good understanding of the strategic GRC
framework and objectives for their organization.
What is Risk Management?

Another area receiving significant attention lately is risk management. This has led to a
number of terms whose definitions and relationships are causing some confusion,
specifically; “risk management,” “enterprise risk management” or “ERM” and “strategic
risk management.” Further complicating this terminology fog, is the fact that these
terms in some cases are used to describe processes, while in other cases the same term is
used to describe functional units within an organization. Let’s try to clear up some more
of this fog.
“Risk management” as a generic term is used to describe any of the activities or

processes an organization uses to manage risk. Virtually all organizations have some
risk management activities occurring, even if they are not labeled formally as such.
These can be informal activities or decentralized activities occurring in business units or
more formal activities. It can be very limiting, for example in some companies “risk
management” may be understood to only refer to their insurance activities, or very
expansive such as in organizations that have a “risk management” function conducting
enterprise wide risk activities. Accordingly, the term itself is very generic and it does
144

not define any specific set of activities. It really constitutes a very generic description of
risk activities.
“Enterprise risk management” is a term normally associated with more formal processes
spanning an organization dealing with the organization’s risks. This term is formally
defined by COSO as:
“Enterprise risk management is a process, effected by an entity’s board of
directors, management and other personnel, applied in strategy setting and across
the enterprise, designed to identify potential events that may affect the entity,
and manage risks to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.”
This is an enterprise wide definition that is supported by the COSO Enterprise Risk
Management – Integrated Framework. That framework is a robust model encompassing
eight interrelated components that run across the entity and its units and four categories
of the organization’s objectives. Given the completeness and span of the COSO ERM
framework, it really represents a model endpoint of what a complete enterprise wide risk
management process would include. As such, organizations often start by implementing
certain of its components as they build their risk management activities rather than
trying to implement the complete COSO ERM framework at one time.
The COSO ERM definition and framework are very clear that they are describing
processes, not functional units. However, in practice, organizations have formed
operating units to establish or conduct their risk management activities, which go by the
name of ERM or enterprise risk management functions. This has added to the fog by
leading some to believe that “ERM” or enterprise risk activities mean a functional unit,
not the process definition established by COSO. We have heard executives comment
that they might be interested in starting enterprise risk activities but are not doing so
because they do not want to establish an ERM functional unit. Unfortunately, that
misunderstanding of the ERM term is not an isolated situation, again caused by the lack
of uniformity in the understanding of ERM. So, while some organizations may choose
to form a functional ERM unit to conduct their risk management activities, ERM is
really a process that can be implemented and conducted without forming a separate
functional unit.
Strategic risk management is another term that is receiving a lot of attention. For
example, Standard and Poor’s uses the term in their 2008 announcement about
expanding their review process to include reviews of risk management activities at non-
financial companies. Strategic risk management is a sub-set of ERM. The COSO ERM
145

Chapter 6
framework applies the components of ERM to four categories of business objectives;

strategic, operations, reporting and compliance. Strategic risks therefore, are the specific
risks related to the organization being able to accomplish its strategic objectives. An
organization will face other risks, related to its operations, reporting and compliance, but
strategic risks are directly linked to its core business strategy and objectives. As such it
represents, according to S&P, “Management’s view of the most consequential risks the
firm faces,..” Because of its significance and direct link to strategy, strategic risk
management is most often viewed as the purview of senior management and the board.
Again, the term defines processes and activities, not necessarily a functional unit.
In short, risk terminology can be summed up as follows;

- Risk management; a generic term that can include any and all processes and
activities that an organization undertakes to manage risk
- Enterprise risk management; a formally defined, robust process that an
organization uses to attend to all of its risks across the enterprise
- Strategic risk management; a sub-set and foundation of ERM that includes the
process and activities intended to manage those risks that are most consequential
to the organizations ability to achieve its strategy and strategic objective.
146

147

Chapter 6
Strategic Risk Management Case Studies

Three case studies are presented that demonstrate real-life impacts of certain strategic
risks.
• Apple Case Study 146

• Genentech Case Study 150
• Nokia vs. Ericsson Case Study 153
148

Chapter 7
Apple Computer, Inc.
The following is a short case study to demonstrate the use of both the Return Driven
Strategy framework and the related Strategic Risk Management framework. The case
discusses, at a high level, the strategy and strategic risks for Apple Computer, Inc.
(Apple). The case also demonstrates the sequence from strategy to strategic risks.
Exercises we conducted in both the classroom and in practice have shown the need to
understand and de-compose an organization’s strategy before attempting to describe its
strategic risks. In earlier work, we attempted to directly identify an organization’s
strategic risks, without de-composing its strategy. That work convinced us that it is
necessary to first describe and de-compose the strategy and then apply the Strategic Risk
Management framework to the strategy elements to get at the real strategic risks (as
shown below).
The Linkage Between Strategy and Strategic Risk
Strategy Strategic Risk

Risk Metrics
Understand the Understand the Risks in How is Risk Measured,

Strategy the Strategy Monitored & Managed?
“The sequence is important, you can’t understand an organization’s strategic

risks without a deep understanding of its strategies.”
Frigo and Anderson, Strategic Risk Management: A Primer for Directors and Mananagement Teams (2009)
149

Chapter 7
Apple Background
Apple is a well recognized, public company that was founded in 1976. It produces
arrange of products including personal computers, portable digital music players, and
mobile communications devices. It also sells various software services, peripherals and
networking solutions. Apple has a reputation for being highly innovative and has
produced very successful products including the Macintosh computer, the iPod, and the
iPhone. Its 2008 revenues were $32.5 billion and it has over 30,000 employees. The
Apple brand is also highly linked with one of its founders, Steve Jobs.
Apple’s Strategy
Exhibit 1 below uses the Return Driven Strategy framework to display some of the key
elements of Apple’s business strategy based on their publicly available information. For
purposes of this illustration, certain key items are indicated. A more in-depth analysis
could go further into detail including comments on each of the strategy tenets and the
foundations. However, for this case, we have chosen certain key tenets including;
- Innovate offerings
- Fulfill Otherwise Unmet Needs
- Target Appropriate Customer Groups
- Brand Offerings
- Partner Deliberately
- Genuine Assets
The exhibit illustrates the specific areas of their strategy that relate to each tenet. For
example, Steve Jobs, employees, creativity and proprietary knowledge are listed as key
Genuine Assets. We have also noted that two tenets; Brand Offerings and Genuine
Assets are critical elements of their strategy.
150

Apple – Business Strategy
Innovative Offerings
• Hardware, Software, Peripherals, Service & Internet
Fulfill Otherwise Unmet Needs
Offerings • Retail Stores - expand offering to appeal PC owners
• Continuous investment in R&D to drive innovation & • Highly focused research to determine customer wants.
cutting edge technologies • Products result of extensive research and strong design
Target Appropriate Customer Groups

• Consumer and Small and Mid-Sized Business
• Education, i.e. teachers and students
• Enterprise, Government and Creative
Brand Offerings
• Unique design and development, create strong brand loyalty and
customer appeal
• A Brand is a company’s most valuable asset
Partner Deliberately
• Microsoft Office
• Education Sales – getting the customer “hooked”
Genuine Assets • iPhone Strategy – build a great product, allow AT&T to service contracts
• Steve Jobs
• Employees
• Creativity
• Proprietary knowledge
Page 1
Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
Apple’s Strategic Risks

Exhibit 2 below utilizes the Strategic Risk Management framework to illustrate the
strategic risks that Apple faces as it follows its core strategy. The exhibit was developed
by taking each of the tenets identified in Exhibit 1 as key strategy elements and then
considering the related strategic risk category. Again, using publicly available
information, the specific risk items within each risk category were identified. In this
manner, we were able to identify not only the major strategic risk category, but the
specific risk items within the category that would need to be considered, managed as
part of Apple’s strategic risk management process.
151

Chapter 7
2) Apple Strategic Risks

• Foreign Market Risk –
• Retention of Niche Investor Asia/Europe
Risk
Market • Market Price Sensitivity
• Ability to anticipate • Acceptance of Windows
Niche needs Customer Market 7
• Loyalty to Windows Risk Risk
• iTunes Pricing – Walmart
& Amazon
Operations
Innovation Brand
Risk
Risk Risk
• Inability to develop new
products
Supply Employee • Loss of Brand Recognition –
• Inability to fund Partnering R&D Reputation
Chain Engagement IPOD
innovation Risk Risk Risk
Risk Risk
• Steve Jobs
• Google & Open Source
Environment • Deployment of brand
Genuine Assets at Risk
damaging product
• Nokia – Ovi Store
Emerging Events and Sustainability Risk
• Palm Pre
Financial, Reporting, Performance Monitoring and Governance Risks
• AT&T only
• Distribution Channel
challenges • Steve Jobs health – difficult to • Ability to attract and retain
substitute his leadership talent
• Protection of proprietary • Loss of Apple as preferred
knowledge employer
• Ability to attract a global
workforce
Page 2
Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
Summary
This quick case study demonstrates the direct linkage between strategy and strategic
risks, which can be developed using the Return Driven Strategy framework and the
related Strategic Risk Management framework. While we would expected that the
actual analysis of a company would be more in-depth than the example used, the
exhibits serve as a concise example of the use of the frameworks and the critical
sequence and linkage that they facilitate.
152

Strategic Risk in the Supply Chain37

One component of the Strategic Risk Framework is Operations Risk. For some
manufacturing organizations, a key sub component of this risk is supply chain risk. This
may be an excellent example of a critical strategic risk that many organizations do not
formally assess as part of their risk management activities. An organization that did
assess this risk was Genentech. Genentech is among the world's leading biotech
companies and is considered by many to be the founder of the biotechnology industry
(stock ticker - “DNA”). The company has been using human genetic information to
discover, develop, manufacture and commercialize biotherapeutics that address
significant unmet medical needs. The company was initially an R&D company with a
little manufacturing. As it grew, its manufacturing operations become more significant,
as did its supply chain. On January 29, 2003, an explosion and fire destroyed the West
Pharmaceutical Services plant in Kinston, NC. The facility produced rubber stoppers
and other products for medical use. West Pharmaceutical Services was the sole supplier
of rubber stoppers for Genentech’s key products. This disruption in the supply chain for
a relatively minor component could have seriously impacted sales revenue and earnings.
Fortunately, the company was able to find enough excess inventory of the components
to avoid serious financial impact. But it was a wakeup call to invigorate its risk
management capabilities. The supply chain was identified as the number one risk
management area for the company. Since its products are cutting edge therapies of
unmet patient needs, interruption in the supply chain can have serious impact on patients
and reputation of the company. Since 2004, the company has developed an effective
ERM process which incorporates strategic risk management with the following
characteristics:
Links risk modeling, risk bearing capacity and financial goals to create a direct link
between risk management decisions and shareholder value
Identifies key risk areas based on the potential impact on EPS and Free Cash Flows
A tool of risk management decisions and Identification of potential new
performance metrics to manage risk
The risk model focused on root cause assessment, consequences in terms of
reputation, delivery time and financial impact.
37
“Genentech Risk Management Case Study” Strategic Risk Management Lab working paper, DePaul
University, 2008
153

Chapter 7
Genentech Supply Chain Risk
Genentech
Genentech is among the world's South San Francisco Campus Site
leading biotech companies and is
considered by many to be the founder
of the biotechnology industry (stock
ticker - “DNA”).
The company has been using human
genetic information to discover,
develop, manufacture and
commercialize biotherapeutics that
address significant unmet medical
needs.
The company was initially an R&D
company with a little manufacturing
As the company moved toward more
manufacturing, its risk profile changed
Genentech Supply Chain Risk
On January 29, 2003, an explosion Since 2004, the company has

and fire destroyed the West developed an effective ERM
Pharmaceutical Services plant in
Kinston, NC. process which incorporates
The facility produced rubber stoppers strategic risk management with the
and other products for medical use. following characteristics:
West Pharmaceutical Services was the 1. Links risk modeling, risk bearing
capacity and financial goals to create a
sole supplier of rubber stoppers for
direct link between risk management
Genentech’s key products. decisions and shareholder value
This disruption in the supply chain for 2. Identifies key risk areas based on the
a relatively minor component could potential impact on EPS and Free
have seriously impacted sales revenue Cash Flows
and earnings. 3. A tool of risk management decisions
Fortunately, the company was able to and Identification of potential new
find enough excess inventory of the performance metrics to manage risk
4. The risk model focused on root cause
components to avoid serious financial
assessment, consequences in terms of
impact. reputation, delivery time and financial
impact
154

Genentech Supply Chain
Safety
Event Stock
Reroute
Reroute
Net Decrease in
Production
Excess
Capacity At Capacity
Creating and Protecting Shareholder Value

It is important for management and directors to begin a new process of strategic risk
management. That process must begin with the identification of the organizations true
strategic risks. The Return Driven Strategy framework and its related Strategic Risk
Management framework provide useful tools to assist management and directors in this
process. This process may begin with the analysis of only one key tenet and its related
risks. Ultimately the frameworks will enable a more complete and robust analysis of
strategic risks and assist management and directors to enhance the organizations overall
risk management processes. This will also help meet the expectations of other
constituents and stakeholders such as rating agencies or regulators. In the long run,
better strategic risk management will enhance the organizations ability to create
shareholder value while effectively managing the related risks.
155

Chapter 7
Nokia vs. Ericsson: Supply Chain Risk

Strategic risk management can help companies avoid the problem of not recognizing
risks soon enough and can help management take swift action to deal with those risks
that do occur. What initially appeared to be a minor disruption in the value chain for
Nokia and Ericsson in March 2000 turned out to be a critical event for both companies.
On Friday, March 17, 2000, a line of thunderstorms appeared in Albuquerque, N.M. A
lighting bolt struck a Philips semiconductor plant, causing a fire in a plant that made
chips for both Nokia and Ericsson and presented similar risks to both companies. The
fire was minor, lasting only 10 minutes, and the damage at first appeared to be limited,
so Philips expected to be back in operation within a week. As it turns out, the disruption
to the plant was months rather than weeks, and the impact on production was
significant.
Nokia quickly noticed the problem with the supply of the parts even before Philips told
them there was a real problem. They took fast action to address the situation once they
determined that the potential impact of the disruption in the supply of chips from the
Philips plant could translate into an inability to produce four million handsets,
representing 5% of the company’s sales at the time.
In contrast, Ericsson responded slowly and didn’t have alternative sourcing options. By
the time management realized the extent of the problem, they had nowhere else to turn
for several key parts. This partly stemmed from the company’s strategy in the mid-
1990s, when it simplified its supply chain to cut costs and in the process weakened its
supply backup. One manager at Ericsson said: “We did not have a Plan B.”
Underestimating the risk of the disruption in supply from the Philips plant and being
unable to manage the problem were major factors that led to Ericsson exiting the phone
headset production market in 2001.38
What lessons do these contrasting cases offer about integrating strategies and risk
management surrounding the supply-chain?39
Link the potential impact of supply chain disruptions to revenue and earnings to
prioritize and manage risk.
Build in the necessary levels of redundancy and backup and maintain supply
chain intelligence and relationships.
38
For more about this example, see “Trial by Fire: A Blaze in Albuquerque Sets Off Major Crisis for
Cell-Phone Giants” in the January 29, 2001, issue of The Wall Street Journal.
39
See article by Mark L. Frigo, “Strategic Risk Management: The New Core Competency” Balanced
Scorecard Report, January-February 2009
156

Continuously monitor supply chain performance measures to quickly identify

problems so that countermeasures can be taken.
Share information and foster communication at the first instance of a problem.
Supply Chain Risk
De-Risk Moves
• Build Contingent Redundancy

• Track Real-time Performance
Example – Ericsson vs. Nokia
• Lightning bolt causes an electrical

surge, igniting a fire at the Philips
microchip plant in Albuquerque,
N.M.
• Result: significant smoke/water
contamination; wiping out nearly
the entire stock of microchips.
Page 51
Nokia vs. Ericsson Response
Nokia Ericsson
• Within 2 days, Nokia noticed potential • Low level employees at Ericsson did not
disruption of supply chain and impact understand and communicate the
to 4 million handsets importance of the event.
• By the time they realized the potential
• Nokia Chairman and Philips CEO impact, Philips had guaranteed the
spoke immediately supply to Nokia
• Philips routed production to other • “We didn’t have a Plan B”
• No other suppliers were capable
plants and guaranteed supply to Nokia • In 2000, Ericsson announced a $1.8
• Nokia put in place a risk management billion loss in mobile phone division.
program across the supply chain
Philips
• Nokia is currently leading producers of
handsets. • Reported losses of $500 million
• Stock dropped by 14%
• Sold semi-conductor division
Page 52
157

Tools and Diagnostics for Strategic Risk

Management
Two tools that have proven useful to management groups are discussed and detailed in
this chapter.
• Strategic Risk Management Alignment Guide – Use and Application 156

• Strategic Risk Management Maturity Diagnostic – Use and Application 159
• Strategic Risk Management Maturity Diagnostic 162
158

Tools and Diagnostics for Strategic Risk Management
Strategic Risk Management Alignment Guide – Use and Application
Introduction: The strategic risk management alignment guide (see example) is a useful
tool to frame a high-level discussion or analysis of the overall system for managing an
organization’s strategic risks. The guide presents a simple way to match basic risk
responsibilities and processes to the organization’s strategic risk categories. The
responsibilities and processes reflected on the grid are consistent with the overall
components of enterprise risk management as outlined in the COSO “Enterprise Risk
Management – Integrated Framework.” In addition, the guide can be helpful to boards
and senior management teams as they work to shape and articulate the organization’s
risk management culture. It has become increasingly clear that information sharing and
communication across the organization is a “best practice” in risk management. The
guide can be helpful in shaping and enhancing those processes.
The guide is not intended to be viewed as a “final product” or only tool that is needed
for risk management. Rather, the guide should be viewed as just one component of the
organization’s risk management processes. Many organizations find that there is
significant value in working through the guide as it forces a focus on specific actions
and responsibilities and presents and overall viewpoint. Often, the initial work through
the grid will result in the identification of inconsistencies across the processes. For
example, certain cells may initially end up blank while others may have multiple or
overlapping entries that lack clarity.
Given the dynamic nature of risk, the guide should ultimately be part of on-going
processes that includes periodic reviews and updates to the guide.
Structure of the Grid: A basic example of the strategic risk management alignment
guide is presented below for illustrative purposes. Each organization should tailor the
guide to best reflect its specific needs and situation.
159

Chapter 8
Risk Risk Risk Monitoring Action Board Company

Category Owner Appetite Plans Oversight Oversight
Metrics (4)
(1) (2) (3) (5) (6) (7)
Reputation CEO Policy Corporation Approved & Full Board Executive

approved Affairs Updated Committee
xx/ xx/ xx xx/ xx/ xx
Operational COO Metrics in Operations Plans in place Risk Risk

place for all Management for each trigger Committee Management
operating daily point
divisions monitoring and Internal Audit
reporting
(1) Strategic risk categories as defined and used on an enterprise-wide basis

(2)Member of management responsible for each risk category
(3) Risk appetite or limit approved by management and the board
(4) Monitoring activities performed for the risk category
(5) Existence and status of action plans to address deterioration in the risk category
(6) Board unit responsible to oversee management of the risk category
(7) Company unit responsible for assurance or oversight of the risk activities of the category
Application: Most organizations use a team approach for their initial analysis using the
guide. This team should include senior representatives of business units as well as the
various control, internal audit, risk and compliance functions. Participants should be
senior enough in the organization to have an enterprise wide perspective and
understanding of the organization’s strategic risks.
Often, a facilitated session or meeting is used to perform the initial completion of the
guide. At this point, the focus should be to determine objectively if the cells can be
completed or more work or clarity is needed. Follow up points from these initial efforts
may entail the following:
- Validation of completed cells. The team should validate what they believe to be
the correct information in each cell. For example, if they believe a specific
member of senior management is a risk owner, they should verify that with the
person to ensure that the member of management acknowledges both their
ownership of the risk and the related risk management activities.
- For cells with multiple entries, the team may need to clarify or prompt the
clarification of roles and responsibilities. One of the key outcomes of the guide
160

analysis should be clarity around the roles and responsibilities, so this becomes a
very important point for the team to focus on.
- For blank cells, the team needs to perform additional work to determine whether
there are processes or activities that they are not aware of, or whether the
analysis is pointing to items that will require senior management attention.
- The team should also take the opportunity to “sit back” and look at the guide to
try to identify opportunities to better rationalize activities and to look for
opportunities to foster better information sharing across the grid.
This initial analysis should result in a preliminary guide and a list of follow up items
that require attention or implementation. This may also be good time to “socialize” the
guide with the board and management to encourage better understanding of the
organization’s risk management processes.
As noted above, the guide must be viewed as part of an ongoing process, not a sole, one-
time event. The organization should consider how the guide and related processes can
be made dynamic, with periodic reviews and updates to ensure that both the processes
and risk categories remain current.
161

Strategic Risk Management Maturity Diagnostic

Use and Application
Introduction
Risk management is an activity that is continuing to evolve in both its techniques and in
its application. Differences in understanding and application are apparent as one looks
at different industry segments and also different countries. For example, larger
institutions in the financial services industry have had fully dedicated enterprise risk
management (ERM) functions for a number of years. Conversely, fully dedicated ERM
functions are not found as frequently in the manufacturing sector. Looking across
industries then, a range of risk management activities becomes apparent. Some
organizations are at early stages in the maturity of their risk activities while others are
developing and deploying leading or best practices in their functions.
Additionally, as noted earlier in the primer, organizations such as the rating agencies
like Standard & Poor’s and Moody’s, have released their views and evaluation criteria
on risk management activities and processes.
In this current environment, we observe that many organizations and their directors,
especially outside of the financial services industry, are seeking to expand their
understanding of risk management processes and how they should be applying them in
their particular situation. For some, this is an education process that involves both
increasing the personal understanding of management and the directors about risk
management and also understanding where, along the range of risk activities, they
believe their organization should be.
The Strategic Risk Management Maturity Diagnostic is a tool designed to facilitate

discussion and enhance understanding relative to both of the educational aims noted
above namely; personal understanding of risk management and a maturity curve
analysis for the organization.
Structure of the Maturity Diagnostic

The Strategic Risk Management Maturity Diagnostic was developed as a tool to display
a range of possible risk management activities, which is a basic maturity curve for risk
management. The Maturity Diagnostic incorporates practices that have been noted by a
variety of organizations including the rating agencies, COSO, and various articles and
reports. (see Appendix A – Bibliography) The tool is structured to display risk
management practices across a range that covers four levels; Weak, Adequate,
162

Enhanced and Best Practice. The four category names were selected simply to allow
for the presentation of four levels and they are not intended to represent or equate to any
specific recognized criteria or accepted standard. They merely provide descriptions of
wide ranges to facilitate analysis and discussion.
Also, while the tool displays Level 4 – “Best Practice” activities for each question, it
should not be assumed that every organization will desire or need to achieve that level
for every one of its risk management activities. As with any comparison to “best
practice” an organization must consider its specific situation, needs, and costs and then
decide which level of maturity and specific practices are most appropriate for them. The
specific organization’s size, complexity, resource capacity, and risk profile will need to
be considered in determining the most appropriate level of maturity for its risk
management processes.
The tool describes various levels of risk management practices grouped within two key
topical areas; Risk Management Culture and Governance and Strategic Risk
Management. These two topical areas of the diagnostic tool are also the key areas for
initial analysis for Standard & Poor’s in their reviews of risk management. Within each
of these broad areas, a series of key questions is posed, followed by a range of possible
risk management activities to respond to the question.
The final section of the diagnostic tool has a more detailed series of questions related to
in five topical areas; Risk Management Culture and Governance, Risk Appetite and
Tolerances, Risk Monitoring, Emerging risks, and Strategic Risk Management. These
questions allow for a deeper discussion in any of those specific areas.
Application
The diagnostic tool is intended to be used more to facilitate discussion than used as a
simple check-list. Discussion could be conducted at either the management level or the
board level. Realistically, management personnel may find it more beneficial for them
to use the tool first for their discussions and analysis as part of building their risk
management strategy and plans. This could be followed by presentations and
discussions with directors and the tool being used to display the levels of current and
proposed maturity for the organization.
As noted above, a critical element of risk management is matching the organization’s

needs and resources with an appropriate level of risk management maturity. This is why
the tool is intended to facilitate discussion and not be viewed as a mere checklist.
Accordingly, a simple maturity curve exercise, as practiced by many consultants, may
163

Chapter 8
be useful here. This type of exercise is aimed at identifying two points on any maturity
curve or range; 1) the level of the organization’s current practices and, 2) the desired
level of maturity for those same practices. Once the desired state is known, a project
plan can then be developed to implement actions to close the gap and bring the
organization to the desired level.
Using the questions and diagnostic tool, it may be a relatively straight-forward process
to agree on the current state of the organization’s risk management processes in each
area. That establishes the current state baseline. The real work is then to discuss and
agree on the desired future state of what level the organization wants to move its
practices up to and also to identify the specific practices it wants to implement.
Management should also consider whether a phased approach would be beneficial.

Some organizations have established interim target levels for their initial
implementations. Their approach and plan assumes that when they reach that desired
initial level of maturity, they will reassess their situation and determine if a second
phase would be beneficial to reach even higher levels of maturity with their processes.
For example, one organization performed an initial current state/future state assessment
but decided that the organization was not yet ready to consider the need for a full ERM
function or a Chief Risk Officer (CRO). They decided to work toward an initial level of
maturity that would include implementing a management risk committee and then they
would let that committee operate before they would re-assess the need for higher levels
of maturity including possibly implementing a fully dedicated ERM function and a
CRO.
The maturity diagnostic can also be used as a starting point for a library of risk
management practices. As other or newer practices are identified, for example industry
specific practices, the tool can be expanded and its contents deepened and made more
company specific.
164

Strategy Risk Management Maturity Diagnosis
1. RISK MANAGEMENT CULTURE AND GOVERNANCE

a. Does the company have a risk-management program?
1-Weak 2-Adequate 3-Enhanced 4-Leading Practice
• No formal ERM •Early-stage ERM •Formal, independent •Board approved risk

program, framework, or program, framework, or ERM program, policy establishes clear
structure in place. structure in framework or structure roles and accountabilities
development. in place and functioning
• Ad hoc / limited on a repeatable basis. •Risk management
coordination and/or •Modest coordination acknowledged as part of
communication between and/or communication •Regular coordination the organization’s
risk and control between risk and control and/or communication culture.
functions. functions. between risk, control
and planning functions. •Formal, independent
ERM program,
•Common risk criteria framework or structure
and definitions used in place and
across the organization. evaluated/ validated by
credible 3rd party.
•Communications on risk
and risk management to •Extensive collaboration,
all levels of the coordination and/or
organization. communication between
risk, control and planning
functions.
b. Has the organization established its risk appetite or risk tolerance?
•No formal statement of •Informal / implied risk •Formal statement of risk •Formal, board approved
risk appetite and risk appetite. Risk appetite appetite that is regularly statement of risk
tolerances. decisions made on a referenced and used to appetite that includes
case-by- case basis. guide decisions and both risks taken and not
tolerances. to be taken.
•Some risk tolerances
established and used, •Risk tolerances •Risk tolerances are
but in a decentralized established for all risks clearly embedded in
fashion. and used with some planning and decision
centralized aggregation making processes.
and reporting of any
exceptions. •Risk tolerances
established for all risks
•Organization is not over and used with
reliant on any one centralized aggregation
specific risk methodology and reporting of risk
or model. levels and any exceptions
on a regular basis.
165

Chapter 8
c. What staff is responsible? What are reporting relationships?
•No clear responsibility •Responsibility for ERM •Clear responsibility for •Executive-level ERM
or accountability for not explicit / scattered ERM program (i.e. position (i.e. Chief Risk
ERM. across multiple Enterprise Risk Officer) with clear
individuals / functional Manager). responsibility for
•ERM staff too low level areas. maintaining and
or without any real voice •Accountability for authority for enforcing
in the organization. •Informal reporting participation in ERM by ERM program and
relationships to CEO, functional areas of policies.
Board, or Board business.
Committee. •Dedicated resources to
•Allocated resources to facilitate and sustain
facilitate and sustain ERM program.
ERM program.
•Independent reporting
•Dotted-line reporting relationship from ERM
relationship from ERM program to CEO, Board,
program to CEO, Board, or Board Committee.
or Board Committee.
•Ongoing, direct
communications
between CRO, CEO and
board.
d. What reports go to the CEO, audit committee, and board of directors?
1-Weak 2-Adequate 3-Strong 4-Excellent
•Ad hoc reporting of risks •Annual, disaggregated •Quarterly / monthly, •Near-real time
to senior management, reporting of risks to aggregated reporting of availability of aggregated
Board, or Board senior management, risks to senior risk reporting (including
Committee. Board, or Board management, Board, or exception notifications)
Committee. Board committee. to senior management,
Board, or Board
committee.
166

e. How does the company measure success of its risk-management program?
•No formal measures of •Measures of success •Measures of success •Measures of success

success defined. defined, but primarily defined, with qualitative defined, with both
rely on qualitative self- and some quantitative qualitative and
•No regular review of assessments. components. quantitative
program performance. components; including
•Annual self-review of •Quarterly self-review comparison of realized
program performance, and annual independent risks with previously
with results reported to review of program defined / anticipated
senior management, performance, with levels of risk.
Board, or Board results reported to
Committee. senior management, •Monthly self-review and
Board, or Board annual independent
committee. review of program
performance, with
results reported to
senior management,
Board, or Board
committee.
167

Chapter 8
f. How is risk management integrated into performance/ budgeting process?
•No consideration of •Some informal •Clear, formal •Inclusion of ERM

ERM in the performance consideration of ERM in consideration of ERM in imbedded in the
and budgeting process. the performance and the performance and performance and
budgeting process. budgeting process at budgeting process for all
strategic business unit business units .
and organization levels.
g. How do risk-management metrics affect compensation for managers?
•No consideration of •Some informal •Clear, formal •Clear and direct

ERM / risk-management consideration of ERM / consideration of ERM / consideration and
metrics in the risk-management risk-management inclusion of ERM / risk-
compensation for metrics in the metrics in the management metrics in
managers. compensation for senior compensation for the compensation for all
managers. business unit heads and managers.
senior managers.
•Executive incentive
programs specifically
aligned with risk appetite
168

2. STRATEGIC RISK MANAGEMENT ?

a. What is Management's view of the most consequential risks the firm faces, their
likelihood, and potential effect on the firm’s performance
•Management does not •Management has a view •Management and the •Management and the
have a clear and direct of some of the most board has a periodic board has a clear and
view of the most consequential risk the view of the most continuous view of the
consequential risk the firm faces their likelihood consequential risk the most consequential risks
firm faces, their and potential impact on firm faces, their the firm faces, their
likelihood and potential the firm’s performance. likelihood and potential likelihood and potential
impact on the firm’s impact on the firm’s impact on the firm’s
performance. performance. performance.
•Event scenario analysis

used to identify
emerging risks and issues
169

Chapter 8
b. What is the frequency and natures of updating the identification of these top
risks?
•The updating the •The updating the •A formal process •An ongoing process
identification of risk is identification of risk is exists for updating exists for updating
infrequent and ad sporadic but the the identification of the identification of
hoc, the nature of the nature of the updating risk on a frequent risk on a continuous
updating is not is comprehensive. basis and the nature basis and the nature
comprehensive or of the updating is of the updating is
strategic. comprehensive and comprehensive and
strategic. strategic using a
strategic risk
management
framework.
170

c. How does risk management affect the company’s financial decision making?
What is the influence of risk sensitivity on liability management and financing
decisions?
•Risk management is •Risk management is a •Risk management is a •Risk management is

not an integral part of part of most financial part of all financial an integral part of
financial decision decision making. decision making. financial decision
making. making and is
•Organization is not strategic and
over reliant on a prioritized.
specific methodology
or model •Decision making
based on both
quantitative input and
judgmental and
critical analysis
d. When developing strategic plans does the company use risk/ reward analysis
when allocating resources (e.g., capital, talent)?
•Risk management is •Some risk •Risk management is •Risk management is

not part of the management are included in the an integral part of the
strategic planning included in the strategic planning strategic planning
process, the strategic strategic planning process, the strategic process, the strategic
plan or key process, the strategic plan and key plan and key
performance plan or key performance performance
measures. performance measures. measures.
measures.
171

Chapter 8
e. How does management reflect risk and reward for risk in strategic decision
making?
•Risk assessment and •Risk assessment and •Risk management •CRO has approval
management is not an management is part personnel participate authority and is an
integral part of of some strategic in most strategic integral part of
strategic decision decision making. decision making. strategic decision
making. making.
•Formal new product
policy established •CRO has the
requiring risk authority to prompt
assessment of new risk reviews of existing
products / initiatives products or initiatives.
f. How does management reflect risk in performance measurement systems in the

firm?
•Risk measures and •Some risk measures •Risk measures and •Risk measures and
key risk indicators are and key risk indicators key risk indicators are key risk indicators are
not part of key are used in the part of key an integral part of the
performance organization. performance performance
measures used in the measures used in the measurement
organization. organization. processes used in the
organization and
monitored regularly.
172

Risk Management Culture and Governance

-- Has the organization established a risk management culture?
-- Does the company have a formal risk-management policy and program?
-- Are there clear roles and responsibilities for risk management?
-- Is risk management staffed with appropriate expertise with independent reporting
relationships?
-- What risk reports go to the CEO, audit committee, and board of directors?
-- How does the company measure success of its risk-management program?
-- How is risk management integrated into performance/budgeting process?
-- How do risk-management metrics affect compensation for managers?
Risk Appetite and Tolerances

Has the organization established its risk appetite and tolerances?
Are the risk appetite and tolerances reviewed with and approved by the board?
Do the risk tolerances includes all types of risks and exposures?
Are the risk tolerances periodically reviewed to ensure that they align with the business
strategy and financial objectives?
Are executive incentive plans periodically reviewed to ensure that they align with the
risk tolerances and business strategy?
Risk Monitoring
-- How does the company identify and control each major risk?
-- What are the company's risk limits for each major risk? How are they enforced?
-- How did the company manage losses in a recent loss event scenario?
-- What changes were made to risk-management procedures as a result of loss
experience?
-- What information about each major risk is shared with senior management and/or the
board of directors?
Emerging Risks
-- Does the organization have a formal, ongoing process to identify emerging risks or
risk events?
-- What does the company do to prepare for extreme disaster?
-- What types of disasters are of active concern to the company?
-- What are the company's stress testing practices?
-- What are the company's liquidity risk management practices?
-- What contingency plans has the company developed?
-- What environmental scanning techniques does the company use to anticipate the
emergence of extreme disasters?
173

Chapter 8

-- When developing strategic plans does the company use risk/reward analysis when
allocating resources (e.g., capital, talent)?
-- How does management reflect risk and reward for risk in strategic decision making,
pricing, and performance measurement?
-- How does risk management affect the company's financial decision making?
174

Appendix
Appendix A: Bibliography 173

Appendix B: NACD: The Key Agreed Principles 181
Appendix C: Governor Randall S. Kroszner Speech 183
Appendix D: Overview: S&P Announcement 192
Appendix E: Overview: Moody’s Investors Service 194
Appendix F: COSO: “Effective Enterprise Risk Oversight” 195
Appendix G: Glossary of Terms 199
175

Appendix A - Bibliography
Appendix A
Bibliography
Apgar, David. Risk Intelligence: Learning to Manage What We Don’t Know. Harvard
Business School Press, 2006
Beasley, Mark and Frigo, Mark L., “Strategic Risk Management: Creating and
Preserving Value”. Strategic Finance, May 2007
Beasley, Mark, Al Chen, Karen Nunez and Lorraine Wright. “Working Hand in Hand:
The Balanced Scorecard and Enterprise Risk Management”. Strategic Finance, March
2006
“Best Practices for a Board’s Role in Risk Oversight”, Moody’s Special Comment,
August, 2006
Bossidy, Larry and Ram Charan. Execution: The Discipline of Getting Things Done.
New York: Crown Business, 2002
Bruce, Brian R. and Bradshaw, Mark T., Analysts, Lies and Statistics. New York:
Institutional Investor Books, 2004
Busco, Frigo, Giovannoni, Riccaboni, and Scapens. “Integrating Global Organizations

through Performance Measurement Systems”. Strategic Finance, January 2006
Busco, Frigo, Giovannoni, Riccaboni, and Scapens. “Beyond Compliance: Why

Integrated Governance Matters Today”. Strategic Finance, August 2005
Charan, Ram. Owning Up: The 14 Questions Every Board Member Needs to Ask. John
Wiley & Sons, 2009
“Containing Systemic Risk: The Road to Reform”, Report of the Counterparty Risk
Management Policy Group III, August, 2008
“Cut Out the Risk for the Biggest Rewards” Financial Times, May 10, 2007
Damodaran, Aswath. Strategic Risk Taking: A Framework for Risk Management.

Wharton School Publishing, 2008
176

Davenport, Thomas H. and Jeanne G. Harris, Competing on Analytics: The New Science
of Winning. Boston: Harvard Business School Press, 2007
“Does ERM Matter? Enterprise Risk Management in the Insurance Industry”,

PricewaterhouseCoopers whitepaper, June 2008
Downes, Larry and Chunka Mui. Unleashing the Killer App. Boston: Harvard Business
School Press, 1998
Drucker, Peter F. Innovation and Entrepreneurship: Practice and Principles. London:

William Heinemann. 1985
Drucker, Peter F. Managing for the Future: The 1990s and Beyond. New York: Truman
Talley Books, Dutton, 1992
“Enterprise Risk Management: Standard & Poors To Apply Enterprise Risk Analysis to
Corporate Ratings”, S&P Announcement, May 2008
Eccles, Robert G., Scott C. Newquist, and Roland Schatz. Reputation and Its Risk.
Harvard Business Review, February 2007
Committee of Sponsoring Organizations of the Treadway Commision (COSO).

“Effective Enterprise Risk Oversight: The Role of the Board of Directors”. Retrieved
from www.coso.org
“Emerging Best Practices in Developing Key Risk Indicators and ERM Reporting”
Whitepaper, James Lam & Associates (Cognos), September 2006
Epstein, Marc J. “Implementing Corporate Sustainability: Measuring and Managing

Social and Environmental Impacts”. Strategic Finance, January 2008
Epstein, Marc J. Making Sustainability Work: Best Practices in Managing and

Measuring Corporate Social, Environmental and Economic Impacts. Bennett-Koehler
Publishers, 2008
Epstein and Roy. “How Does Your Board Rate?”. Strategic Finance, February 2004
Epstein, Marc J. and Roy, Marie-Josee. “Measuring and Improving the Performance of
Corporate Boards using The Balanced Scorecard”. Balanced Scorecard Report, March-
177

Frigo, Mark L and Anderson, Richard J., "Strategic Risk Assessment: A Foundation for
Risk Management and Governance". Strategic Finance, December 2009
Frigo, Mark. L.and Anderson, Richard J., “Strategic Risk Assessment: A First Step for
Improving Risk Management and Governance”. Strategic Finance, December 2009
Frigo, Mark L. “When Strategy and ERM Meeting”. Strategic Finance, January 2008
Frigo, Mark L. “Return Driven: Lessons from High Performance Companies”. Strategic
Finance, July 2008
Foster, Richard and Kaplan, Sarah, Creative Destruction. New York: Doubleday, 2001
Frigo, Mark L and Litman, Joel. “Driven: Business Strategy, Human Actions and the
Creation of Wealth”. Strategy & Execution, 2008
Frigo, Mark L and Litman, Joel. “Give My Regrets to Wall Street”. Harvard Business
Review, 2004
Frigo, Mark. L. and Litman, Joel. “What is Return Driven Strategy?”. Strategic Finance
,February 2002
Frigo, M. L. “Building the Verbs of Strategy on the Nouns of a Business”. Strategic

Finance, April 2003
Frigo, Mark L. and Richard J. Anderson. “A Strategic Framework for Governance, Risk
and Compliance”. Strategic Finance, February 2009
Frigo, Mark L. and Richard J. Anderson. “Strategic GRC: 10 Steps to Implementation”.

Internal Auditor, June 2009
Frigo, Mark L. and Joel Litman, “Driven: Business Strategy, Human Actions and the
Creation of Wealth”. Strategy & Execution Press, 2008
Frigo, Mark L. and Venkat Ramaswamy. “Co-Creating Strategic Risk-Return

Management”. Strategic Finance, May 2009
Frigo, Mark. L. “Strategic Competencies of Return Driven Strategy”. Strategic Finance,
178

June 2002
Frigo, Mark. L. “Building the Verbs of Strategy on the Nouns of a Business”. Strategic
Finance, April 2003
Frigo, Mark. L. “Mission Driven Strategy”. Strategic Finance, August 2003
Frigo, Mark. L. “Performance Measures that Drive the Goal Tenets of Strategy”.
Strategic Finance, October 2003
Frigo, Mark. L “Performance Measures that Drive the First Tenet of Business Strategy”.
Strategic Finance, September 2003
Frigo, Mark. L. “Growth isn’t always good: Knowing When and Where to Grow”.
Strategic Finance, December 2004
Frigo, Mark. L “Strategy and Execution: A Continual Process”. Strategic Management,

April 2004
Frigo, Mark. L. “Focusing Strategy on Fulfilling Customer Needs”. Strategic Finance,

January 2004
Frigo, Mark. L. “The Segments, Offerings, Needs Matrix”. Strategic Finance,

December 2003
Frigo, Mark. L. “Strategy and the Board of Directors”. Strategic Finance, June 2003
Frigo, Mark. L. “What’s Missing in Our Strategic Plans?”. Strategic Finance, May 2003
Frigo, Mark. L. “Strategy or Execution?”. Strategic Finance, March 2003
Frigo, Mark. L. and J. Litman. “What is Strategic Management?”. Strategic Finance,

December 2001
Frigo, Mark. L. “Guidelines for Strategic Financial Analysis”. Strategic Finance,

November 2003
Frigo, Mark. L. and R. Graziano. “Strategic Decisions and Cash Flow”. Strategic
Finance, July 2003
179

Frigo, Mark. L, “Strategy, Value Creation and the CFO”, Strategic Finance, January
2003
Frigo, Mark. L, “Strategy and the Balanced Scorecard”, Strategic Finance, November
2002
Frigo, Mark. L, “Strategy and Value-Based Management”, Strategic Finance, October

2002
Frigo, Mark. L. “Strategy-Focused Performance Measures”. Strategic Finance,

September 2002
Frigo, Mark. L. “Non-financial Performance Measures and Strategy Execution”.

Strategic Finance, August 2002
Frigo, Mark. L. “Strategy, Business Execution and Performance Measures”. Strategic

Finance, May 2002
Friedman, Milton Capitalism and Freedom. Chicago: The University of Chicago Press,
1962
Friedman, Milton and Rose Friedman Free To Choose. New York: Harvest, Harcourt
Inc., 1990
Fuller, Joseph and Jensen, Michael C.. “Just Say No to Wall Street”. Applied Corporate
Finance, Volume 14 – No. 4, Winter 2002, pages 41 – 46.
Gladwell, Malcolm. The Tipping Point: How Little Things Can Make a Big Difference.
New York: Little Brown & Company, 2000
Goldratt, Eliyahu M. Theory of Constraints. Great Barrington: North River Press, 1990
“High-level principles for risk management”, Committee of European Banking

Supervisors, Consultation paper (CP 24), April 8, 2009
Jensen Michael C. and Murphy, Kevin J. CEO “Incentives – It’s Not How Much You
Pay, But How”. Harvard Business Review, May-June 1990.
180

Kaplan, Robert S. "Risk Management and the Strategy Execution System". Balanced
Scorecard Report, November-December 2009
Kaplan, Robert S. and David P. Norton. The Execution Premium: Linking Strategy to
Operations for Competitive Advantage. Boston, MA: Harvard Business School Press,
2008.
Kaplan, R.S., and D.P. Norton. Alignment: Using the Balanced Scorecard to Create
Corporate Synergies. Boston, MA: Harvard Business School Press, 2006.
Kaplan, Robert S., and David P. Norton. “The Balanced Scorecard – Measures that
Drive Performance”. Harvard Business Review, 1992
Kaplan, Robert S., and David P. Norton. “Using the Balanced Scorecard as a Strategic
Management System”. Harvard Business Review January, 1996
Litman, Joel and Mark L. Frigo. “When Strategy and Valuation Meet: Five Lessons
from Return Driven Strategy”. Strategic Finance, 2004
Litman, Joel and Mark L. Frigo. “When Strategy and Valuation Meet: Five Lessons
from Return Driven Strategy”. Strategic Finance, 2004
Litman, J. “Understand, Execute, and Communicate Return Driven Strategy to

Maximize Your Valuations”. Strategic Investor Relations, 2001
Litman, Joel. “Genuine Assets: Building Blocks of Strategy and Sustainable

Competitive Advantage”. Strategic Finance, November 2000
“Managing Risk in the New World". Harvard Business Review, October 2009
Madden, Bartley J. CFROI Valuation A Total System Approach to Valuing the Firm.
Woburn: Butterworth-Heinemann, 1999
Mark Beasley, Bruce Branson and Bonnie Hancock. “ERM: Opportunities for
Improvement”. Journal of Accountancy, September 2009
Merchant, Kenneth. “Evaluating General Managers’ Performance”. Strategic Finance,

May 2007
181

National Association of Corporate Directors. Key Agreed Principles: To Strength

Corporate Governance For U.S. Publicly Traded Companies. National Association of
Corporate Directors, 2009
National Association of Corporate Directors. “Key Agreed Principles: To Strength

Corporate Governance For U.S. Publicly Traded Companies White Papers: Series І”.
National Association of Corporate Directors, 2009
“Observations on Risk Management Practices during the Recent Market Turbulence”,

Senior Supervisors Group, March, 2008
Peters, Thomas J. and Robert H. Waterman. In Search of Excellence: Lessons from

America’s Best-Run Companies. New York: Harper & Row, 1982
Porter, Michael E. "The Importance of Being Strategic" Balanced Scorecard Report,

Harvard Business School Press, 2002
Porter, Michael E. “What is Strategy?” Harvard Business Review, 1996
Porter, Michael E. Competitive Advantage-Creating and Sustaining Superior

Performance. New York: The Free Press, 1985
Porter, Michael E. Competitive Strategy Techniques for Analyzing Industries and

Competitors. New York: The Free Press, 1980
Reid, Peter C. Well Made in America: Lessons from Harley-Davidson on Being the Best.
New York: McGraw-Hill Publishing, 1990
Schumpeter, Joseph A. The Theory of Economic Development. Cambridge: Harvard

University Press, 1934
Schumpeter, Joseph A. Capitalism, Socialism and Democracy. New York:

HarperCollins Publishers Inc., 1975 (originally published 1942)
“Strengthening Enterprise Risk Management for Strategic Advantage”, Committee of

Sponsoring Organizations of the Treadway Commission (COSO), 2009
Surowiecki, James. The Wisdom of Crowds. New York: Doubleday, 2004
182

Slywotzky, Adrian J. The Upside: The 7 Strategies for Turning Big Threats Into Growth
Breakthroughs. New York: Crown Business, 2007
Slywotzky, Adrian. “Finding the Upside Advantage of Downside Risk”. Strategic Finance,
November 2008
Slywotzky, Adrian and John Drzik. “Countering the Biggest Risk of All”. Harvard
Business Review, April 2005
Steven Dreyer and Amra Balic. “Progress Report: Integrating Enterprise Risk
Management Analysis Into Corporate Credit Ratings”. Standard & Poor’s, July 22,
2009
Taleb, Nassim Nicholas. The Black Swan: The Impact of the Highly Improbable.
Random House, 2007
“Ten Common Risk Management Failures and How to Avoid Them”, Protiviti
Bulleting Volume 3, issue 6, January 5, 2009
“The Role of U.S. Corporate Boards in Enterprise Risk Management”, The Conference
Board, Research Report, 2006
Ulrich, Dave and Norm Smallwood, Leadership Brand: Developing Customer-Focused

Leaders to Drive Performance and Build Lasting Value. Boston: Harvard Business
School Press, 2007
Ulrich, Smallwood and Sandholtz. “Making Intangibles Tangible”. Strategic Finance,

December 2006
Walton, Mary. The Deming Management Method. New York: Perigee Books, 1986
Welch, Jack. Jack: Straight from the Gut. New York: Warner, 2001
Zook, Chris and James Allen, Profit from the Core: Growth Strategies in an Era of
Turbulence. Boston: Harvard Business School Press, 2001
183

Appendix B
Appendix B
THE KEY AGREED PRINCIPLES
Board Responsibility for Governance

Governance structures and practices should be designed by the board to position the
board to fulfill its duties effectively and efficiently.
II. Corporate Governance Transparency

Governance structures and practices should be transparent— and transparency is
more important than strictly following any particular set of best practice
recommendations.
III. Director Competency & Commitment

Governance structures and practices should be designed to ensure the competency
and commitment of directors.
IV. Board Accountability & Objectivity

Governance structures and practices should be designed to ensure the accountability
of the board to shareholders and the objectivity of board decisions.
V. Independent Board Leadership

Governance structures and practices should be designed to provide some form of
leadership for the board distinct from management.
VI. Integrity, Ethics & Responsibility

Governance structures and practices should be designed to promote an appropriate
corporate culture of integrity, ethics, and corporate social responsibility.
VII. Attention to Information, Agenda & Strategy

Governance structures and practices should be designed to support the board in
determining its own priorities, resultant agenda, and information needs and to assist
the board in focusing on strategy (and associated risks).
VIII. Protection Against Board Entrenchment

Governance structures and practices should encourage the board to refresh itself.
IX. Shareholder Input in Director Selection

Governance structures and practices should be designed to encourage meaningful
shareholder involvement in the selection of directors.
184

Appendix B
X. Shareholder Communications
Governance structures and practices should be designed to encourage
communication with shareholders40.
The National Association of Corporate Directors (NACD) puts forth these Key
Agreed Principles, grounded in the common interests of shareholders, boards and
corporate management teams, to provide a blueprint to corporate boards and thereby
to help improve the quality of discussion and debate governance issues moving
forward
40
“Key Agreed Principles”. National Association of Corporate Directors, 2009
185

Appendix C
Appendix C
Governor Randall S. Kroszner
At the Risk Management Association Annual Risk Management Conference,
Baltimore, Maryland
Strategic Risk Management in an Interconnected World
It is not an overstatement to say that we are in the midst of a fundamental transformation

in financial services, with market-wide ramifications. At the heart of that transformation
lies a much more intense emphasis on funding and liquidity. Additionally, we are all
witnessing the extent to which banking and financial markets are interconnected.
The current environment certainly presents some fundamental challenges for banking
institutions of all types and sizes.1 Their boards of directors and senior management,
who bear the responsibility to set strategy and develop and maintain risk management
practices, must not only address current difficulties, but must also establish a framework
for the inevitable uncertainty that lies ahead. Notably, the ongoing fundamental
transformation in financial services offers great potential opportunities for those
institutions able to integrate strategy and risk management successfully, and I will argue
that survival will hinge upon such an integration in what I will call a "strategic risk
management framework."
In the remainder of my remarks, I plan to discuss the necessity for institutions to

improve the linkage between overall corporate strategy and risk management, and how
they can develop concrete strategic risk management frameworks. I will argue that in
the highly interconnected financial world, funding and liquidity need to be at the center
of such frameworks. But before doing so, I will briefly review recent events.
Recent Events in Financial Markets
We are indeed witnessing dramatic shifts in the structure of financial markets. These are
quite extraordinary times that have required extraordinary responses from the Federal
Reserve, the Treasury, and other governmental bodies in the United States and around
the world. Since last summer, there had been a continuous deterioration of conditions in
financial markets, becoming much more acute since March of this year. For instance, we
have seen significant disruption in several key sectors of our financial system, such as
normally creditworthy companies having difficulty issuing commercial paper, dramatic
increases in interbank lending rates, and significant concerns about money market funds
"breaking the buck." These are sectors usually considered to be relatively low risk and
186

Appendix C
quite liquid, so disruptions here have signaled the extent and depth of this turmoil and
the lack of confidence among financial market participants.
The Federal Reserve has responded to these developments in two broad ways. First,
following classic tenets of central banking, the Federal Reserve has provided large
amounts of liquidity to the financial system to cushion the effects of tight conditions in
short-term funding markets. Second, to reduce the downside risks to growth emanating
from the tightening of credit, the Fed, in a series of moves that began last September,
has significantly lowered its target for the federal funds rate. Indeed, earlier this month,
in an unprecedented joint action with five other major central banks and in response to
the adverse implications of the deepening crisis for the economic outlook, the Federal
Reserve again eased the stance of monetary policy. We will continue to use all the tools
at our disposal to improve market functioning and liquidity, to reduce pressures in key
credit and funding markets, and to complement the steps the Treasury and foreign
governments will be taking to strengthen the financial system.
As a result of these ongoing upheavals, we are witnessing substantial institutional

changes, in which some long-standing financial institutions have either failed, sought
government assistance, or were forced to merge with other institutions. What were the
major U.S. investment banks have essentially disappeared, such as by merging with
bank holding companies or becoming bank holding companies themselves. Other major
banks and thrifts have been absorbed into other banking organizations. Financial
institutions and investors have placed much more emphasis on the banking charter,
likely driven by banks' more stable funding and deposit insurance, even before the
recently announced government support of the banking system.
Over the past year, there has been increasing concern among financial institutions and
other counterparties about the health of some financial institutions. Uncertainty about
the value of assets and other exposures, as well as uncertainty about the ability of
institutions to sustain continued access to funding, has caused financial institutions to
operate with great caution and hoard funds. What was once a healthy, active interbank
market has become frozen from time to time, as some institutions feel that conditions
are so uncertain that they cannot even lend to long-standing clients or counterparties. In
quite a dramatic shift from just 18 months ago, there is much more scrutiny being placed
on capital adequacy, with financial institutions trying to retain as much capital as they
can, raise as much as possible, and demonstrate that their capital positions are not
impaired. The Capital Purchase Plan by the U.S. Treasury Department under the
Emergency Economic Stabilization Act is focused on improving capital adequacy and,
hence, improving confidence in the interbank market.
187

Appendix C
Perhaps one of the most pressing issues, as I mentioned briefly earlier, is the intense
emphasis on funding. This dramatic shift in concerns about a financial institution's
funding base results in much more focus on the stability of funding sources--one of the
reasons that the bank charter has become so attractive. Indeed, we are seeing the
emphasis on funding driving many other factors that affect financial institutions,
including the viability of various aspects of firms' business models. And problems with
liquidity have affected capital levels, which in turn have further exacerbated liquidity
concerns. It is indeed quite remarkable how this "flight to liquidity" has brought about
so many institutional and structural changes, and become essentially the most important
factor (at least now) for the viability of a financial institution.
Over the past year there have been a number of studies analyzing the causes of the
current turmoil, which include shortcomings in the risk management practices of
financial institutions.2 It is absolutely clear that many financial institutions need to
undertake a fundamental review of risk management. They now realize that ignoring
risk management in any aspect of the banking business usually creates problems later
on. Risk management shortcomings need to be addressed not only to improve the health
and viability of individual institutions, but also to maintain stability for the financial
system as a whole.
Framework for Strategic Risk Management
At this time, I would like to explain a bit more about what I mean by a "strategic risk
management framework." In my view, an effective overall corporate strategy combines
a set of activities a firm plans to undertake with an adequate assessment of the risks
included in those activities. Unfortunately, many firms have forgotten the second part of
that definition. In other words, there can be no real strategic management in financial
services without risk management, hence my use of the term "strategic risk
management." Risk management needs to be interwoven into all aspects of the firm's
business and should be part of the calculus for all decision-making. Strategic decisions
about what activities to undertake should not be made unless senior management
understands the risks involved; assessing potential returns without fully assessing the
corresponding risks to the organization is incomplete, and potentially hazardous,
strategic analysis.
Ensuring that risk management permeates an entire organization may require some
fundamental changes for certain firms. And this lesson applies not just to the prominent
organizations mentioned in the headlines of late, but also to smaller firms. Even if
smaller firms have been less affected by the recent turmoil (and perhaps have even won
back some market share as customers seek more "traditional" places to put their money),
188

Appendix C
their managements must understand that the financial landscape has changed and needs
to be surveyed anew because events outside of their control in market-wide flight to
liquidity, for example, can have direct impacts on them. Of vital importance will be
incorporating into strategic risk management the lesson that funding and liquidity will
be a major determinant of institutions' success going forward.
Building a rigorous strategic risk management framework requires an institution to

reexamine both its internal practices and its external environment, and to understand
how closely the two are connected. In other words, external factors have an impact on
internal practices, but those internal practices, because financial markets are so
interconnected, can in turn have an impact on how the institution is viewed externally--
and even have an impact on the marketplace more broadly. We have witnessed several
such examples of late, in which an institution encountered severe liquidity needs, which
then affected funding for other institutions. Institutions need to understand better that a
number of factors affecting their business are beyond their control, and that events can
have secondary or tertiary "knock-on" effects. The real art is to realize that while all
institutions may be affected by external factors, each is affected in its own way.
Now that I have laid out a general framework for strategic risk management, I would
like to offer a few examples of its application.
Funding and liquidity
As I noted, the clear driver of the fundamental transformation in financial services is the
increased importance of funding and liquidity. The ability to secure funding is a
fundamental task in banking, and banks have been managing expected liquidity
demands since the beginning of banking itself. In times of stress, such as now, having a
solid and reliable funding structure becomes much more important, in some cases so
much so that it affects most other banking activities.
The current turmoil has brought about substantial deleveraging in financial services.
Managing this process is an immediate challenge for banking institutions, as they must
consider the need to reduce leverage at their own institution as well as understand the
consequences of deleveraging at other firms. This is clearly an example of external
factors affecting internal practices, and vice versa. From a strategic perspective, bank
directors must examine their current and future funding situation in light of recent
deleveraging, its near-term prospects, and the state of overall liquidity in financial
markets.
189

Appendix C
Financial institutions rely on external funding in some fashion--either through retail

deposits, interbank lending, or debt offerings. Therefore, they must understand that their
funding can be subject to the vagaries of the market, such as sudden shortages of market
liquidity or rapid swings in investor sentiment. For example, banks may benefit in the
near term in attracting deposits and thereby improve their funding positions, but they
also may experience more difficulty securing other sources of funds and find that
situation persisting for some time. Additionally, counterparty reactions to changes in the
business mix or risk profile of an institution (or even the perceived change in its risk
profile) could suddenly hamper the ability to find funding.
In recognizing the inherent leverage in the business of banking, institutions must

examine longer-term implications of funding and liquidity, and begin to build those into
the overall strategic plan for their organizations. The market for external funding is an
international one, so liquidity troubles in one market can have repercussions in others.
Accordingly, banks should be prepared for a range of adverse situations related to
funding and market liquidity that can be precipitated by a range of sources.
Bank directors and senior management need to anticipate potential difficulties in

funding the bank, and demand that solid contingency plans are in place--and are
regularly updated--for a variety of funding and liquidity problems. Such plans should
include the potential for external factors to generate a funding squeeze for the
institution, even if its own positions and risk profile have not materially changed.
Preparing for sudden changes in the pricing and availability at any price of funding
sources is something that, leading up to the current turmoil, most banks did not fully
consider. Instead, their managements focused mostly on building market share, growing
revenues, and realizing the short-term profitability of their activities--a telling example
of banks not properly including risk management in their overall corporate strategy. As
the Senior Supervisors Group Survey of major financial institutions pointed out, there
have been numerous examples of failures of strategic risk management and these must
be rectified going forward.
Finally, strategic risk management for funding and liquidity needs to consider potential
liquidity problems on both sides of the balance sheet. We saw such examples recently
when there were draws on liquidity commitments to structured investment vehicles and
commercial paper conduits, and when banks faced difficulty selling exposures in illiquid
markets. When there is a marketwide scramble for liquidity, a bank must be prepared to
manage funding challenges and unplanned asset expansions simultaneously. Developing
a strong strategic risk management framework that recognizes the vital importance of
funding and liquidity to both sides of the balance sheet is one way in which directors
and senior management can help ensure that their institutions are ready for such
190

Appendix C
outcomes. They should also ensure that they fully understand that funding and liquidity
issues will drive many of the activities in which they will be able to engage, something
to which I will now turn.
Choice of financial services activities
While the financial landscape is by no means settled, certain emerging trends will affect
which activities make sense, which exposures should be assumed, and which risks
should be undertaken. One immediate trend is that much of the future of business
activities of banking organizations will be driven by the increased focus on funding and
liquidity. Accordingly, this trend must be integrated into a strategic risk management
framework. For instance, there may be less opportunity to pursue activities that were
quite prolific under the previous "originate-to-distribute" model, such as securitizations,
given current disruptions or longer-term uncertainties about the reliability of market
liquidity. For similar reasons, other activities, such as investing in collateralized debt
obligations or structured investment vehicles--which typically relied on relatively easy
maturity transformation--may not be as viable in this new environment.
Whether transactions take place on an organized exchange or in the so-called over the
counter market is another important aspect of the strategic risk management choices
undertaken by an organization. When contracts are traded on an exchange, clearing and
settlement, for example, may have less uncertainty associated with them. In addition, an
exchange that has a centralized counterparty--perhaps the clearinghouse of the
exchange--can reduce uncertainty about counterparty risk and help to avoid market
dislocations that can arise from such uncertainty, not only for an individual firm but,
potentially, more broadly in that market. Thus, market infrastructure and its impact on
how organizations are connected to each other can have a large impact on market
confidence in times of stress.
Of course, we have seen that uncertainty, fear, and lack of trust among key
counterparties can dramatically affect trading in some products across markets in many
countries, again an example of the impact of interconnectedness. These days,
institutions are seeking more assurance that their counterparties will not default from
one day to the next. Whether there is a shift to more trading on clearinghouses will be
driven by firms' analysis of counterparty credit risk and the extent to which they are
comfortable doing business with leveraged counterparties about which they have limited
information. Firm managers should take these infrastructure and interconnectedness
issues into account in undertaking their own strategic risk management choice about
what activities to undertake and the risks posed by each. This is a clear example of how
external structures should be taken into account in a firm's strategic planning.
191

Appendix C
In their strategic risk management frameworks, institutions should also understand the
broader issue of potential gravitation to a model in which most or all types of financial
services are brought together in single institutions. That is, institutions have to prepare
for the possibility that they could lose customers and/or be less competitive if they are
unable to provide the full set of financial products. Importantly, however, bank directors
and senior management, in assembling their strategic risk management framework,
should fully understand the complications associated with offering multiple products
and engaging in a wide array of activities--such as reputational risk. And they should not
automatically assume that engaging in multiple activities in multiple geographic markets
will provide so-called "natural diversification." As I just noted, different financial
markets and different types of financial services are quite interconnected, and during
times of stress all can experience losses concurrently.
Of course, there may also be an opportunity for some institutions to benefit from more
traditional, "bread-and-butter banking," with exposures and risks tied more closely to
bank balance sheets. This potential opportunity for niche banking could have certain
benefits, as clients and investors, because of the fear of contagion, seek institutions that
are specifically not involved in multiple markets and activities. And local banks can
often provide more personalized service and have a better understanding of their clients'
needs. In such cases, however, institutions conducting specialized or local business must
understand the inherent risks, such as potential risk concentrations.
Compensation
As many of you know, as an economist I am particularly interested in the impact that

compensation has on incentives for bank management.3 I am pleased that the industry
has also begun to address this issue, as reflected in a recent report by the Institute of
International Finance.4 Clearly, the industry needs to better understand the link between
compensation and risk management, as in the past those two areas have usually been
addressed in isolation.
Generally, investors analyze financial institutions on a risk-adjusted basis, interpreting

profits based on the amount of risk taken. Management at financial firms should do the
same thing with regard to their business units and their employees. A risk-sensitive
compensation framework will help provide the right incentives for employees, and
establish a better link between the actions of those employees and the firm's overall risk
profile. Institutions should be particularly sensitive to employee activities that could
either directly or indirectly impair access to funding or disrupt liquidity.
192

Appendix C
Clearly, bank directors have an influential role to play in setting compensation, and they
should exercise their authority to establish a more risk-sensitive compensation
framework while embedding it in the broader strategic risk management framework of
the institution. Directors should understand the consequences of providing too many
short-term and one-sided incentives. There are many ways that this risk sensitivity could
be accomplished, and it is up to the firms themselves to arrive at solutions. One
possibility, for example, is to include more types of deferred compensation, since the
risks of certain investments or trades may not manifest themselves in the near term. It
makes sense to try to match the tenor of compensation with the tenor of the risk profile
and, thus explicitly, take into account the longer-run performance of the portfolio or
division in which the employee operates. A good risk-sensitive compensation regime,
properly embedded in a strong strategic risk management framework, can bring about
changes in behavior so that the firm's employees refrain from taking on risk beyond the
firm's stated risk appetite. Perhaps most importantly, such a compensation regime must
give the appropriate incentives to take risks fully into account during good times, when
many often underestimate longer-term risks.
Conclusion
I have tried to lay out the importance for banking institutions to develop and maintain a
strategic risk management framework that fully incorporates all the risks they face--both
internal and external--when making choices about what activities and markets in which
they will operate. Indeed, having a corporate strategy that does not include risk
management at its core is not really a strategy at all. Market infrastructure, which affects
not only the ways in which firms are connected to each other but also the types of
shocks to confidence that they may encounter, is an important external factor that should
be taken into account in strategic risk management.
As a concluding point, I will offer a few comments on one additional area to which
banking institutions must pay particular attention: the regulatory and supervisory
structure in which banks operate. Banking is an industry that is subject both to market
competition and considerable regulation. Therefore, banking institutions must not only
evaluate potential changes in the competitive financial landscape (as I noted earlier), but
must also pay attention to potential changes on the regulatory side.
Over the past year, there have been a number of suggestions for possible statutory
changes in U.S. financial services regulation, so bank directors must be prepared for
whichever outcomes such changes might imply for the regulatory structure in the United
States. For example, the Congress may wish to undertake legislative action to effect
regulatory changes, or there may be changes to the existing authority and responsibility
of certain regulatory bodies. In any event, there will likely be some type of adjustments
193

Appendix C
in regulatory structure simply given the changes in the financial services landscape.
Given the fluid situation in which we find ourselves today, bank directors and senior
management in their strategic planning have to anticipate a range of potential outcomes
in the regulatory sphere in both the short and long term.
Since banking and financial markets are so interconnected, the fundamental

transformation in financial services is affecting all types of financial institutions, even
those less directly affected by recent events. Importantly, in developing strategic risk
management frameworks, institutions must not only understand the direct consequences
to their own firms of such shifts, but must also recognize that consequences to other
firms can have effects on the broader market. The heightened importance of funding and
liquidity is a clear example of a major change that has far-reaching ramifications and,
thus, has to be appropriately addressed in assembling any credible strategic risk
management framework in an interconnected world.
194

Appendix D
Appendix D
Overview: Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings
In May, 2008, Standards & Poor’s Rating Services (S&P) released an announcement
indicating that they would enhance their ratings process for non-financial companies to
include a review of enterprise risk management (ERM). Their ERM reviews are
intended to: “provide investors and issuers our views of a management team’s ability to
understand, articulate, and successfully manage risk.”
The announcement also indicated that S&P would include the ERM reviews and
discussions in reviews conducted in 2008 but would defer scoring of ERM capabilities
until later in 2009.
The S&P announcement is an excellent document on ERM basics and should be read by
directors and senior executives, regardless of whether their organizations’ are subject to
reviews by S&P. The basic ERM concepts and approach discussed in the announcement
form a solid foundation for understanding ERM from the top down. The discussion in
the S&P announcement is around three key areas; 1) how they define “ERM,” 2) the
risk management culture, and 3) strategic risk management.
S&P first outlines what they believe ERM is and is not. They discuss the approaches
and processes that encompass ERM. These include expectations on what risks the
company will and will not take and also not that this is a fundamental responsibility of
the board and senior management. They also note that ERM is not a guarantee or a
method of eliminating risk and it is not a passing fad.
The analysis of the risk management culture will also be explored by the S&P analysts.
In these areas, they will focus on risk management frameworks, roles of staff and
reporting lines, communications, and policies and metrics. The influence of risk
management on budgeting and management compensation will also be discussed. These
points of discussion represent a solid conceptual base for any discussion of the
importance and key elements of a risk management culture.
The final area of analysis is strategic risk management. Key topics here are
management’s views of the most consequential risk facing the firm and the frequency
for updating these top risks. They also note the role of risk management in strategic
decision making.
195

Appendix D
This expansion of S&P’s rating process is clearly important to executives and directors
of companies rated by S&P. However, as noted above, we believe the key concepts and
topics contained in the announcement are applicable to all organizations. Accordingly,
we recommend all executive and directors take the time to read and reflect on their key
points.
196

Appendix E
Appendix E
Overview: Best Practices for a Board’s Role in Risk Oversight
Moody’s Investors Service
Moody’s Investors Service issued a Special Comment during August of 2006 entitled
Best Practices for a Board’s Role in risk Oversight. The report discusses Moody’s
views that the risk oversight role of the board is critical in the sound running of an
institution. Moody’s lists five central functions that the board has with respect to risk.
1) Approve the firm’s risk appetite as a component of its strategy

Moody’s views it as important that the board understands and approves the firm’s
risk appetite. They also point out the need for alignment between the organization’s
strategy, risks and financial objectives.
2) Understand and question the breadth of risk faced by the company

The board should have a good grasp of the risks facing the organization and be
updated on a regular basis. The board should receive regular communications and
also updates on trends of risks. Training is noted as being particularly important.
3) Ensure robust oversight of risk at the board committee and senior management
levels
Moody’s believes that risk focused committees are most effective when staffed with
skilled directors and that sufficient time is allocated to coordinated risk oversight.
4) Promote a risk-focused culture and open communication across the

organization
Moody’s notes the key elements of promoting a culture where decision-making at all
levels is sensitized to risk matters and risk-adjusted performance. These elements
include setting the “Tone at the top” and giving board members direct access to risk
professionals.
5) Assign clear lines of accountability and encourage an effective risk

management framework
Moody’s indicates that the board should approve a risk management policy that
includes the objectives of risk management, mechanisms to elevate issues and
conflicts and how they will monitor action plans. The policy should establish clear
lines of authority and ensure the integration of risk insights into the planning
processes.
197

Appendix F
198

Appendix F
199

Appendix F
200

Appendix F
201

Appendix G
Appendix G
Glossary of Terms
Enterprise Risk Management (ERM) is a term normally associated with

more formal processes spanning an organization dealing with the
organization’s risks. This term is formally defined by COSO as:
“Enterprise risk management is a process, effected by an entity’s board
of directors, management and other personnel, applied in strategy setting
and across the enterprise, designed to identify potential events that may
affect the entity, and manage risks to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity
objectives.”
Governance, Risk and Compliance (GRC) has come into increasingly

common use, particularly by consultants and vendors. However, there is
not good universal understanding of the term or its objectives. In some
cases, the “GRC” term is associated with various technology tools,
designed to assess risks or conduct automated tests of controls. In other
cases, the “GRC” label is attached to a unit within the organization that is
conducting controls testing across the organization. GRC should be
really be viewed as a holistic approach or framework, intended to enable
a look across an organization’s various risk and control units to align
their unique roles around common objectives (eg. protecting shareholder
value) and then leverage common processes and knowledge to increase
their efficiency and effectiveness. For example, an organization may
have multiple risk and control units each conducting separate risk
assessments. The Strategic GRC Framework, which was presented in
Strategic Finance in February, 2009 displays a frame work that is useful
in explaining these concepts. Executives are cautioned not to just
purchase a “GRC tool” or undertake a GRC initiative without a good
understanding of the strategic GRC framework and objectives for their
organization.
Risk Management as a generic term is used to describe any of the

activities or processes an organization uses to manage risk. Virtually all
organizations have some risk management activities occurring, even if
they are not labeled formally as such. These can be informal activities or
decentralized activities occurring in business units or more formal
activities. It can be very limiting, for example in some companies “risk
202

Appendix F
management” may be understood to only refer to their insurance

activities, or very expansive such as in organizations that have a “risk
management” function conducting enterprise wide risk activities.
Accordingly, the term itself is very generic and it does not define any
specific set of activities. It really constitutes a very generic description of
risk activities.
Strategic Risks are those risks that are most consequential to the
organization’s ability to execute its strategies and achieve its business
objectives.
Strategic Risk Assessment is a systematic and continual process for

assessing significant risk facing an enterprise
Strategic Risk Management is a process for identifying, assessing and

managing risk anywhere in the strategy with the ultimate goal of
protecting and creating shareholder value. It is a primary component and
foundation of Enterprise Risk Management; is effected by boards of
directors, management and other personnel; requires a strategic view of
risk and consideration of how external and internal events or scenarios
will affect the ability of the organization to achieve its objectives;
requires an organization to define a tolerable level of risk or risk appetite
as a guide for strategic decision making; and is a continual process which
should be embedded in strategy setting and strategy management.
203

About the Authors

Dr. Mark L. Frigo
Dr. Mark L. Frigo, PhD, CPA, CMA is Director of The Center for Strategy, Execution,
and Valuation and the Director of the Strategic Risk Management Lab in the Kellstadt
Graduate School of Business at DePaul University and Ledger & Quill Alumni
Foundation Distinguished Professor of Strategy and Leadership. Author of six books
and over 80 articles, his work is published in leading journals including Harvard
Business Review. Dr. Frigo is a frequent contributor and an editor for Strategic Finance
and lectures at universities and conferences throughout North America and Europe. He
is a leading expert on strategy and execution in high-performance companies and
strategic risk management. Dr. Frigo is the co-author (with Joel Litman) of Driven:
Business Strategy, Human Actions and the Creation of Wealth (2008).
His professional career has included corporate strategic planning, mergers and
acquisitions, and management consulting in strategic services at an international
consulting firm.
Dr. Frigo is recipient of the Economos Award for outstanding teaching in the Kellstadt
Graduate School of Business MBA program, the DePaul University Excellence in
Teaching Award, the Outstanding Accounting Educator of the Year Award by the
Illinois CPA Society and numerous awards by professional organizations for his
executive education programs and he was recently profiled in Crain's Chicago Business
in an article about top Business School professors. As an avocation, Dr. Frigo is a
teacher of the way of martial arts and holds the rank of Yon Dan (4th degree Black Belt)
in Shotokan karate; he is an instructor at the Jiu-Jitsu Institute (Chicago’s oldest marital
artist school, established 1938), and a senior student of Master Sensei Wataru
Nakamoto.
He received his Bachelor of Science degree in Accountancy from the University of

Illinois, an MBA degree from Northern Illinois University and completed postgraduate
studies in the Kellogg Graduate School of Management at Northwestern University. He
is a CPA in the State of Illinois and a Certified Management Accountant. Dr. Frigo
received his Ph.D. in Econometrics.
He serves as an advisor to senior executive teams and boards of directors. You can
reach Mark at mfrigo@depaul.edu or 312.362.8784.
204

About the Author

Richard J. Anderson
Richard J. (Dick) Anderson, MBA, CPA, CFSA is Clinical Professor of Risk

Management at The Center for Strategy, Execution, and Valuation and the Strategic
Risk Management Lab in the Kellstadt Graduate School of Business at DePaul
University. Professor Anderson is a frequent speaker and author. His articles have
appeared in publications including, The Journal of Accountancy, Internal Auditing,
Strategic Finance, Director’s Monthly, Bank Management, American Banker, Financial
Executive and The Journal of Business Strategy. He is a recognized expert on internal
auditing, risk management and audit committee practices.
Dick is a retired partner of PricewaterhouseCoopers LLP (PwC) where he held a number

of leadership roles including serving as Financial Services industry leader for the
Advisory practice in the Chicago office and the Midwest Region. He served many of the
firm’s largest financial services clients in North America, Europe and Asia. While at
PwC, he participated with PwC teams that wrote “Audit Committee Effectiveness –
What Works Best, 3rd Edition” published by the Institute of Internal Auditors and
“Enterprise Risk Management – Integrated Framework, Application Techniques”
published by The Committee of Sponsoring Organizations of the Treadway
Commission. Prior to joining PricewaterhouseCoopers, Dick served as global head of
internal audit and credit review for Continental Bank Corporation.
Dick is also an active member of the Institute of Internal Auditors (IIA). He previously
served three terms with the IIA’s International Professional Issues Committee where he
was actively involved in developing professional guidance to internal auditors. He
currently serves as a member of the Board of Trustees of the IIA Research Foundation.
Dick has had a number of articles published in the IIA’s publication Internal Auditor.
He co-authored the article “Stepping Up,” which appeared in Internal Auditor and was
awarded it Outstanding Contributor Award in 2006.
He received his Bachelor of Science degree in Accountancy from St Joseph’s College

and an MBA degree from Northern Illinois University. He is a CPA in the State of
Illinois, a Certified Financial Services Auditor and member of the American Institute of
Certified Public Accountants and the Illinois CPA Society. .
You can reach Dick at rander37@DePaul.edu or 312.848.2155.
205

206

207


STrategic Risk Management

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

STrategic Risk Management

Caricato da

Copyright:

Formati disponibili

Licensed to: Omar Chaudhry S/N:6f090f9fa34ac6b79a0b64e25217bee4

Licensed to: Omar Chaudhry S/N:6f090f9fa34ac6b79a0b64e25217bee4

Licensed to: Omar Chaudhry S/N:6f090f9fa34ac6b79a0b64e25217bee4

Licensed to: Omar Chaudhry S/N:6f090f9fa34ac6b79a0b64e25217bee4