Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
March 2010
Edition 1.0
Do not copy or redistribute in any way without express written consent of the authors
March 2010
Edition 1.0
Contents
Acknowledgements
Preface
Overview and Use of the Primer 1
Acknowledgements
This book is based on an evolving approach for risk management, an approach that is
focused on the strategic risk faced by organizations. It is based on the Return Driven
Strategy framework, which has been used by management teams and boards to guide
strategic decisions toward growth, profitability and superior wealth creation. The
Return Driven Strategy framework was developed over a ten year period through
collaborative research and applications and is described in the book Driven: Business
Strategy, Human Actions and the Creation of Wealth (www.returndriven.com) which I
wrote with Joel Litman.
As boards and management teams used the Return Driven Strategy framework for
strategic planning, they started to hone in on the key strategic risks in the business plans
of the organizations and found insight into how to better manage the risk. This was the
beginning of the applications of the Return Driven Strategy framework for strategic risk
assessment and strategic risk management. Another force supporting this movement
was the recognition by thought leaders, directors and executives in risk management that
the Return Driven Strategy framework provided a robust approach for strategic risk
management, which was an “unmet need” in the business world. Over the last three
years, we have made numerous presentations and keynotes at executive and academic
conferences around the world to gain insight and share insight.
I would also like to acknowledge Joel Litman, the co-creator of the Return Driven
Strategy framework and co-founder of the Center for Strategy, Execution, and Valuation
in the Kellstadt Graduate School of Business at DePaul University. To Mark S. Beasley,
director of the ERM Initiative at North Carolina State University and Randy Nornes,
Executive Vice President at Aon Risk Services for their valuable contributions. To
Robert Kaplan, Harvard Business School, for his thought leadership in strategy
execution and his insight through our discussion on risk management. To Venkat
Ramaswamy, University of Michigan Ross School of Business, for his collaborative
work with me on linking Return Driven Strategy, Strategic Risk Management and Value
Co-Creation. I would also like to thank research fellow Michael L. Frigo and Graduate
Research Assistants Michael Gardon, Elvira Galimova, Chen Luo and Andrew Jameson
We sincerely thank the business leaders, directors, and students who have participated in
the seminars and courses conducted around the world over the last several years.
Preface
This book focuses on the latest developments in applying the Return Driven Strategy to
the area of strategic risk management. During the last two years, we have seen
dramatic events unfold and huge amounts of wealth destroyed. In 2008, we launched
the Strategic Risk Management Lab in the Center for Strategy, Execution, and Valuation
at DePaul University. The Strategic Risk Management Lab is an engagement platform
and forum for thought leaders and practitioners in Enterprise Risk Management (ERM)
and Strategic Risk Management. The Strategic Risk Management Lab provides
collaborative research in the Strategic Risk Management and ERM areas and sharing of
leading practices in Strategic Risk Management based on the extensive research on high
performance companies in The Center for Strategy, Execution, and Valuation and the
Return Driven Strategy Initiative.
Articles from Strategic Finance in this Primer as reprinted with permission © copyright
2009, 2008, 2007 by the Institute of Management Accountants (IMA®), Montvale, N.J.,
www.imanet.org.
The June 2009 article from Internal Auditor in this Primer was reprinted with permission from
the Internal Auditor, published by The Institute of Internal Auditors, Inc., www.theiia.org
This chapter presents an approach for linking risk management with strategic planning
and strategy execution. It begins with the premise that first we must understand the
strategy of the organization, then understand the risk in the strategy and then indentify
measures and ways to monitor and manage the risk.
Chapter 1
One of the challenges facing management teams is finding a way to integrate risk
management it the strategy development and strategy execution processes of the
organization. At the same time, three are many approaches for strategy development
and strategy execution.
1
Kaplan, Robert S. and David P. Norton, The Execution Premium: Linking Strategy to Operations for
Competitive Advantage (Harvard Business School Press) 2008 and 1 Kaplan, Robert S. and David P.
Norton “Mastering the Management System” Harvard Business Review, January 2008
elements is each stage. Companies considering this process have yet another reason to
adapt it for strategic risk management. At the Strategic Risk Management Lab at
DePaul University we are working with management teams to help them embed and
incorporate Strategic Risk Management and ERM into each stage of the management
system.
Results
EXECUTION
Source: Kaplan and Norton, The Execution Premium Process
(Harvard Business School Press, 2008).
Initiative
© Copyright Dr. Mark L. Frigo 2009 – Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
Chapter 1
The Exhibit below shows how Strategic Risk Management can be embedded in the
management system.
In Stage 2, Translate the Strategy, they identify strategic risk management objectives
and measures which can be included in Balanced Scorecards and also use Strategy Maps
to identify the cause-and-effect linkages and root causes of key strategic risks. They
also define the Risk Appetite based on the strategy and strategic risk assessment. The
development of Risk Appetite is not an easy task. We recommend developing a set of
risk tolerance and risk appetite guiding principles as part of Stage 1 Develop the
Strategy where the Enterprise Risk Policy and Appetite (see Chapter 5) is developed.
In Stage 3. Align the Organization, management teams align the governance, risk and
control units based on the Strategic GRC Framework. This would include developing
the Enterprise Risk Policy and Appetite (see Chapter 5) which sets the stage of aligning
the control units.
In Stage 4. Plan Operations, they develop strategic and business unit Key Risk
Indicators (KRI’s) and develop business unit risk dashboards and reporting using the
KRI’s.
In Stage 5, Monitor and Learn, management teams hold strategic risk management
reviews where the Strategic Risk Management framework is used to provide a common
language and perspective on risk and they monitor and report on KRI’s.
And in Stage 6, Test and Adapt, management teams conduct strategic risk analysis and
monitor emerging risks.
Chapter 1
Considering risk during strategy planning also creates an ability to seize risk
opportunities. Again, the goal of ERM is to preserve and enhance value. In some
situations, ERM may reveal areas where the enterprise is being too risk averse or is
ineffectively responding to similar risks that exist across multiple silos of the enterprise.
In other situations, ERM may identify risk opportunities that may create potential
increased returns to the enterprise. If risks are ignored in strategy, risk opportunities may
be overlooked.
As the consumer products company began to launch its ERM processes, senior
management quickly discovered a huge potential threat to this strategic arrangement
with the retail customer. The company’s information technology (IT) disaster recovery
processes were set to be within acceptable tolerance limits established by the IT group.
In an effort to balance costs with perceived IT needs, the IT group had put recovery
procedures in place to fully restore IT-based sales systems within a two-day (not two-
hour) period. When core sales executives learned about this recovery time frame, they
quickly partnered with IT to reduce recovery thresholds to shorter windows of time. Had
they not linked IT’s disaster recovery response risks with the sales strategies to fulfill
customer orders within two-hour increments, a looming IT disaster could have
significantly affected their ability to achieve sales goals, thus compromising the
enterprise’s ability to achieve strategic goals. Needless to say, this discovery also
prevented other risks that might have been triggered by a disaster, including legal risks
tied to contract violations, cash flow losses due to idle sales functions, and reputation
risks that could have been realized given the large size and visibility of both the
consumer products company and retailer customer.
The next step to strategic risk management surrounds defining the entity’s use of the
term “risk.” Michael Porter’s definition in his landmark book, Competitive Advantage is
useful:
“Risk is a function of how poorly a strategy will perform if the ‘wrong’ scenario
occurs.”2
Thus, strategic risk management begins by identifying and evaluating how a wide range
of possible events and scenarios will impact a business’s strategy execution, including
the ultimate impact on the valuation of the company.
Before management can effectively manage risks that might be identified by various
scenario analyses, they need to define an overriding risk management goal. Risk
appetites can vary across industries and entities. Without an understanding of
stakeholder appetites for risks, neither management nor the board know what strategic
risks are to be managed and what risks are to be accepted.
2
Porter, Michael E. Competitive Advantage, New York: Free Press, 1985 p. 476.
Chapter 1
The Return Driven Strategy® framework is an effective tool for integrating strategic
goals and risk management goals. The framework is the result of more than a decade of
research and application, involving the study of thousands of companies and the
identification of strategic activities that separate the best performers from the worst. The
Return Driven Strategy framework describes the hierarchy of strategic activities of best
performing companies in terms of financial impact and shareholder value.
The Return Driven Strategy is comprised of eleven core tenets and three foundations
that together form a hierarchy of interrelated activities that companies must perform to
deliver superior financial performance. These tenets and foundations summarize the
common activities of high performance companies and identify flawed strategies of
marginal performers. Here is a list of the eleven tenets and three foundations of Return
Driven Strategy.3
3
Frigo, Mark L. and Joel Litman, Driven: Business Strategy, Human Actions and the Creation of Wealth,
Strategy and Execution (2008)
10
11
Chapter 1
This framework describes how an enterprise’s strategy can be aligned with the ultimate
objective to “Ethically Maximize Shareholder Wealth.” This is a valid goal for a
business entity: to create shareholder wealth, to strive to maximize it, and to do so while
adhering to the ethical parameters of stakeholders and communities.4
That ultimate strategic goal can work simultaneously as the entity’s risk management
goal as well. That is, management must understand, define, and then align risk
management activities toward ethical shareholder wealth creation objectives. In doing
so, risk management activities must be justified in terms of shareholder wealth creation.
If wealth preservation or creation isn’t linked to risk management activities, then
particular risk management activities should be challenged.
We believe that, to be effective, a framework for strategic risk management needs to
include these three characteristics:
1. Alignment with a Commitment to Ethically Create Shareholder Wealth.
Risk management must have a strong alignment with protecting and creating
shareholder value. Rule No. 1 of strategic risk management should read: “First, don’t
destroy shareholder value.” But to add value, strategic risk management should be
firmly aligned with the creation of shareholder wealth and have a focus on risk
opportunities (e.g., the “upside” of risk). Of course, shareholder wealth should be
created within the ethical parameters of the constituents and the communities in which
the company operates. Any framework for strategic risk management should have the
ability to make the connection among the strategy of the organization, its execution and
related risk management, and the valuation of the entity.5
2. Holistic. Strategic risk management should be holistic and broad enough to
encompass the spectrum of entity-wide activities needed to achieve an organization’s
strategy. A framework for strategic risk management needs to be integrated so that
various facets of strategic business risk can be linked with the overall goals of the
business. This is where an ERM approach to risk management helps provide value
through its emphasis on viewing risk-related scenarios using a top-down, holistic
4
For more, see Frigo, Mark L. and Joel Litman, Driven: Business Strategy, Human Actions and the
Creation of Wealth, Strategy and Execution (2008); “What Is Return Driven Strategy?” by Mark Frigo
and Joel Litman in the February 2002 issue of Strategic Finance, and “Performance Measures that Drive
the First Tenet of Business Strategy” by Mark Frigo in the September 2003 issue of Strategic Finance.
5
For more about this, see “When Strategy and Valuation Meet: Five Lessons from Return Driven
Strategy” by Joel Litman and Mark Frigo in the August 2004 issue of Strategic Finance.
12
portfolio approach to determining how various silo risk events might interact to limit or
destroy value. A holistic approach to strategic risk management helps connect various
business unit goals and objectives and related risks to the overall goal of maximizing
shareholder wealth. Without a holistic view, strategic activities within one aspect of the
enterprise may be creating strategic risks for another part of the business.
For example, Harley Davidson’s recent letter to shareholders describes one of its
strategic goals to expand into international markets, particularly China and Japan. The
letter also describes another strategic goal to enhance its “H.O.G.” brand mystique and
motorcycling lifestyle. In this case, the strategic desire to expand into Asian cultures, if
left unmanaged, has the potential to create risks associated with its strategic desire to
expand the Harley mystique if changes are made to Harley products to satisfy the
motorcycling preferences of riders in different cultures. To effectively manage strategic
risks, management needs to monitor how each strategic initiative might be throwing off
counterproductive risks impeding other strategic objectives.6
3. Capable of Identifying and Evaluating Events and Forces of Change.
Strategic risk management has to be an ongoing, continual process. It can’t be an
activity that happens only occasionally. Risks are constantly evolving, which means an
organization’s strategies may need to evolve as well, so effective strategic business risk
management must be capable of regularly identifying and evaluating how events,
scenarios, and forces of change will impact the business strategy and its performance.
Management’s dashboard of key performance metrics should also include key risk
indicators that provide leading information about changing risk conditions so that
management is better prepared to adjust strategies ahead of the risk curve in a proactive
manner, rather than be blind-sided by shifting risk conditions that are realized too late to
adjust deployments of key strategies, such as the situation at Ericsson. Robust
management scorecard reporting systems that include key strategy and risk management
metrics can help strengthen management’s effectiveness at staying on top of key
changes that may impact the entity’s strategic goals.
13
Chapter 1
management have used the framework to evaluate the business strategy, they have been
able to hone in on key risks that could destroy shareholder value while considering the
upside of risk in terms of the opportunities, thereby using it as a strategic risk
management framework.
14
The Strategic Risk Management Action Plan should consider how risk
assessment and risk management can be integrated in strategy execution
processes. This would include integrating risk management into strategic
planning and performance measurement systems. The Kaplan-Norton
Strategy Execution Model (see Kaplan and Norton, Achieving the Execution
Premium, Harvard Business Publishing 2008), which describes six stages for
strategy execution, provides a useful framework for visualizing where risk
management can be done.
Stage 4 Plan Operations: This stage includes developing the operating plan,
key process improvements, sales planning, resource capacity planning and
budgeting.
In this stage, the Strategic Risk Management Action Plan can be reflected
in the operating plan and dashboards, including risk dashboards.
15
Chapter 1
Stage 5 Monitor and Learn: This stage includes strategy reviews and
operational reviews.
In this stage, Strategic Risk Reviews would be part of the on-going
Strategic Risk Assessment which reinforces the necessary continual,
closed-loop approach for effective Strategy Risk Assessment and
Strategy Execution.
Stage 6 Test and Adapt: This stage includes profitability analysis and
emerging strategies.
In this stage emerging risks can be considered as part of the on-going
Strategic Risk Assessment.
16
The Strategy Map has been a useful framework for building a “bridge” between
strategy and risk management. Since Strategy Maps are designed for strategy
execution and to provide alignment between strategic initiatives of an organization,
it can also be used to incorporate risk management.
The Strategy Map below as developed by a management team as part of its strategic
planning process, where the Return Driven Strategy framework as used to focus and
align the strategy to the overall goal in the Strategy Map, “Create and Protect
Shareholder Value”. Strategic Risk Management Objectives are embedded in the
Strategy Map.
Using Strategy
Using Strategy Maps
Maps to
to Incorporate
Incorporate Strategic
Strategic Risk
Risk Management
Management Objectives
Objectives
Create and Protect Shareholder Value
Capabilities and Growth Organizational Alignment-Create a high performance culture and infrastructure
Strategic Objectives Develop Balanced Expand and Build Develop Leadership Enable and Encourage
Retain and Develop
Scorecard and Strategic Skills, Risk And Execution-Driven Continuous Learning
Critical Talent
Strategy Maps Management Culture Culture and Knowledge Sharing
2
© Copyright Dr. Mark L. Frigo 2010 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
17
Chapter 1
The management team also used the exhibit below to visualize the intersection of
Strategy and Strategic Risk Management, which is Strategy Execution.
© Copyright Dr. Mark L. Frigo 2010 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
Strategy
• The Return Driven Strategy framework provides a way to align the business
strategy to optimize wealth creation.
• It provides a logic and language for having an honest discussion about
strategy and strategic initiatives.
• It provides a “way of thinking”, as way of strategic thinking on a day to day
basis.
• It provides an architecture which leads to the four perspectives of the
Balanced Scorecard and Strategy Maps: Financial, Customer, Internal
Processes, and Capabilities and Growth.
• It provides a way to organize risks.
Strategy Execution
• Strategy Map: Describes the strategic themes and strategic objectives with
the four perspectives of the Balanced Scorecard: Financial, Customer,
Internal Process and Capabilities.
• Strategic Themes: Describe the primary pathways to growth and
profitability.
• Strategic Objectives: Describe what needs to be done to achieve the strategic
18
themes.
• Execution Plans: Include performance measures, targets and actions plans.
• Strategic Risk Management Objectives are embedded in the Strategy Map.
19
20
This chapter defines Strategic Risk Management and discusses its growing importance.
21
Chapter 2
The decade of the 70’s saw the development of “capital markets” activities, especially in
the banking industry. The growing and complexity of the initial derivatives products
and related trading activities spawned the first “risk management” functions in those
banking organizations. These functions were primarily focused on trading and portfolio
exposures and risks as the bank grappled with the risks in these newer products.
As the complexity of financial products and markets continued to evolve, there was a
growing focus on risk management including the expansion of the focus to the broader,
enterprise-wide risks facing organizations. Risk management practices and processes
continued to develop along with a growing awareness of risk on the part of boards and
audit committees. However, there was a lack of an accepted framework or standard that
could be used to evaluate risk management activities.
While the COSO ERM gained wide-spread recognition and acceptance, it’s
development and publication coincided with the implementation of the Sarbanes-Oxley
Act of 2002 (SOX). For many organizations and their audit committees, dealing with
the implementation and reporting requirements of SOX were overwhelming and
demanded virtually all their attention. Audit committees became very “compliance”
22
focused and had little time left to deal with strategic issues or risk. Significant attention
was placed on the COSO Internal Control Framework, which was extensively used by
organizations in complying with the financial controls related requirements of SOX.
However, much less, if any attention was given to the COSO ERM Framework as SOX
did not require or really address ERM.
Following the period of SOX implementation, the past few years have seen an
unprecedented series of economics losses and the disappearance of shareholder value as
certain organizations have been negatively impacted by various events and risks. This
situation has caused a re-focus on what and how boards and executives are managing
the risks in their organizations. As a result, a number of countries, such as the US, UK
and Australia have now required boards and/or audit committees to focus more on risk
and risk management. For example, the Listing Requirements of the New York Stock
Exchange (NYSE) now require audit committees of listed companies to discuss their
organizations polices related to risk assessment and risk management. In their
commentary on this requirement, the NYSE indicates the audit committee must,
“discuss guidelines and policies to govern the process by which risk assessment and
management is undertaken.” Similarly, rating agencies, including Moody’s and
Standard & Poors also indicated their interest and focus on risk management practices
including full ERM.
While ERM and risk management in general, can encompass a wide range of risks, it
appears that this re-emergence of risk management, when coupled with the catastrophic
losses incurred by some organizations, has given rise to focus on “strategic risk
management.” Strategic risk management can be defined as “the process of identifying,
assessing and managing the risk in the organization’s business strategy – including
23
Chapter 2
taking swift action when risk is actually realized.” It includes recognition that there
should be a clear and transparent linkage and alignment between and organization’s
business strategy, the risks related to that strategy and overall objectives of the
organization. Strategic risk management then is focused at the most consequential and
significant risks to shareholder value; clearly an area deserving of the time and attention
of executive management and the directors. An excellent set of attributes for strategic
risk management is contained in the 2008 announcement by S&P, these include;
- “Management’s view of the most consequential risk the firm faces, their
likelihood, and potential effect,
- The frequency and nature of updating the identification of these top risks,
- The influence of risk sensitivity on liability management and financial decisions,
and
- The role of risk management in strategic decision making.”
Clearly then, strategic risk management starts with a basis in the core business strategy
of the organization and the risk imbedded in it. However, given the dynamic nature of
risk, it then also encompasses strategic decisions and also the potential impact of
emerging internal and external events. It appears that some of these issues, strategic
decisions, external events, were items that created or magnified some of the strategic
risks that resulted in significant value losses to stakeholders in some originations.
Accordingly, strategic risk management has become an expected and key component of
an organization’s overall governance processes. There is an expectation that the
directors understand the key strategic risks to the organization and also that they are
performing an appropriate oversight of management’s risk management processes.
24
We believe that boards can enhance their risk management processes and conduct
strategic risk management without needing to form a fully dedicated ERM unit. The
important item it not to form an ERM unit, but to undertake the processes of strategic
risk management. Support for the board can come from any number of areas within the
organization to start. It is also the observations of the authors that risk management has
a maturity curve and organization’s move up the maturity curve as they become more
knowledgeable about risk management, ERM and their own needs. Organizations rarely
move from one extreme of the curve to the other, or in another words, move from no
risk management processes to fully-staffed ERM functions.
Accordingly, it is not necessary to form and staff a stand-alone ERM unit to conduct
strategic risk management. In fact, strategic risk management is a good starting point
for directors and executive management. It focuses them on the risks that are most
important to them and brings to light core risk management processes that can be the
basis for further evolution and, possibly, full-fledged ERM.
One of the major challenges in ensuring that risk management is value creating is to
incorporate ERM in business and strategic planning of organizations. The silos that
separate risk management functions in organizations also create barriers that separate
strategic planning from ERM. In many cases, risk management activities are not linked
25
Chapter 2
or integrated with strategic planning and strategic risk can be overlooked, creating
dangerous “blind spots” in strategy execution and risk management that can be
catastrophic. The challenge, as well as opportunity, for organizations is to embed risk
thinking and risk management explicitly into the strategy development and strategy
execution processes of an organization so that strategy and risk mindsets are one in the
same.
The economic crisis that began in 2007 is now shining a huge spotlight on the board and
senior management’s enterprise-wide risk management processes. Reform proponents
are pointing to failures in the overall risk oversight processes, including unaware boards,
overreliance on sophisticated models, and under-reliance on sound judgment. Critics
argue that because returns on certain strategic initiatives were so great, risks that were
present were either unknown or ignored.9 Numerous calls are now arising for drastic
improvements in risk management, with a specific call for more formal risk
considerations in managing an organization’s deployment of specific strategic
initiatives.
7
This section is adapted from Beasley, Mark S. and Mark L. Frigo “Strategic Risk Management: Creating
and Protecting Value” Strategic Finance, May 2007.
8
For example, see Standard & Poor’s, Enterprise Risk Management: Standard & Poor’s To Apply
Enterprise Risk Analysis to Corporate Ratings, May 2008, www.standardandpoors.com, New York, NY.
9
For example, see The New York Times Magazine “Risk MisManagement” January 4, 2009 feature story
that was highly critical of the short comings of risk oversight processes at many of the failed financial
services institutions.
26
This shift towards greater expectations for effective enterprise-wide risk management
oversight is complicated by the fact that the volume and complexities of risks affecting
an enterprise are increasing as well. Rapid changes in information technologies,
globalization and outsourcing, the sophistication of business transactions, and increased
competition make it that much more difficult for boards and senior executives to
effectively oversee the constantly evolving complex portfolio of risks.
Even before the recent financial crisis, board members believed that risks were
increasing. Ernst & Young’s 2006 report, Board Members on Risk, found that 72% of
board members surveyed believed that the overall level of risk that companies face has
increased in the past two years, with 41% indicating that overall levels of risk have
increased significantly. 11 Given recent events, that concern is only heightened.
Similarly, management has a similar observation. IBM’s 2008 Global CFO Study
reported that 62% of enterprises with revenues greater than $5 billion encountered a
major risk event that substantially effected operations or results in the last three years
and nearly half (42%) stated that they were not adequately prepared.12
Many of the risks threatening an enterprise are difficult to see and manage, given their
systemic nature. However, while many risks may be unknown, they often have a similar
impact. Management and boards of directors are increasingly being held accountable
for considering the probabilities and impact of various possible risk scenarios tied to
their overall business strategies, even for risk events that may not be foreseeable. For
example, the events of 9/11 and the catastrophic impact of Hurricane Katrina, while
“unknown” by most, had similar impacts: loss of employees, destroyed operations,
damaged IT infrastructure, lack of cash flow, etc. While management and boards are not
expected to predict the next 9/11 type event, they are expected to consider and be
proactive about thinking of responses to events (whatever the cause) that might have a
similar impact. That is, management should have a plan for any significant scenario that
might lead to consequences that might be detrimental to its core strategy, such as a loss
of employees, destroyed operations, damaged IT infrastructure, lack of cash flow,
drastic shift in regulations, etc.
10
Federal Reserve Governor Randall S. Kroszner’s speech, “Strategic Risk Management in an
Interconnected World,” October 20, 2008, Baltimore, Maryland (www.federalreserve.gov).
11
Ernst & Young 2006 report, Board Members on Risk (www.ey.com).
12
IBM Global Business Survey’s “Balancing risk and Performance with an Integrated Finance
Organization: The 2008 Global CFO Study,” 2008,
27
Chapter 2
The rise in the volume and complexities of risks is complicated by the fact that many of
the techniques used by boards and senior executives are dated, lack sophistication, and
are often ad hoc. Few boards and senior executives have robust key risk indicators that
provide adequate data to recognize shifts in risks patterns within and external to their
organizations, resulting in an inability to proactively alter strategic initiatives in advance
of risk events occurring. This has created an “expectations gap” between what
stakeholders expect boards and senior executives to do regarding enterprise-wide risk
management and what they actually are doing.
28
Key Messages:
1. Need to manage risk in an integrated fashion across the
enterprise
2. Risk management not only preserves value but also can
help create value
Several conceptual frameworks have been developed in recent years that provide an
overview of the core principles for effective ERM processes. In 2004, the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) issued its Enterprise
Risk Management--Integrated Framework, with this definition of ERM (see
www.coso.org):
29
Chapter 2
© Copyright Mark L. Frigo 2008 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo Page 12
© Copyright Dr. Mark L. Frigo 2009 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
Note that ERM is directly related to “strategy setting”. For ERM to be value creating, it
must be embedded in and connected directly to the enterprise’s strategy. Another part
of this definition refers to the goal of ERM, which is to help the enterprise achieve its
core objectives. So, to be effective, ERM must be part of strategic planning process
and strategy execution processes.
30
31
Chapter 2
In his latest book, Owning Up: The 14 Questions Every Board Member Needs to Ask,
Ram Charan’s one of the questions is “Are we addressing the risks that could send our
company over the cliff?” 18 According to Charan, boards need to focus on the risk that
is inherent in the strategy and strategy execution:
“Risk is an integral part of every company’s strategy; when boards review
strategy, they have to be forceful I asking the CEO what risks are inherent in the
strategy. They need to explore “what ifs” with management in order to stress-test
against external conditions such as recession or currency exchange
movements.”19
Regarding risk culture, Ram Charan provides the following insight: “Boards must also
watch for a toxic culture that enables ethical lapses throughout the organization.
Companies set rules – but the culture determines how employees follow them.”20
15
The Conference Board’s Overseeing Risk Management and Executive Compensation Report (December
2008).
16
See the article by Mark Beasley, Bruce Branson, and Bonnie Hancock, titled “Rising Expectations:
Audit Committee Oversight of Enterprise Risk Management,” Journal of Accountancy, April 2008, pp.
44-51.
17
See the article by Mark L. Frigo and Richard J. Anderson, “A Strategic Framework for Governance,
Risk and Compliance” Strategic Finance February 2009.
18
Charan, Ram Owning Up: The 14 Questions Every Board Member Needs to Ask, John Wiley & Sons
(2009)
19
Charan, Ram Owning Up: The 14 Questions Every Board Member Needs to Ask, John Wiley & Sons
(2009) p. 23
20
Charan, Ram Owning Up: The 14 Questions Every Board Member Needs to Ask, John Wiley & Sons
32
(2009) p. 28
21
Charan, Ram Owning Up: The 14 Questions Every Board Member Needs to Ask, John Wiley & Sons
(2009) p. 87
22
See article by Mark L. Frigo, “Strategic Risk Management: The New Core Competency” Balanced
Scorecard Report, January-February 2009
33
Chapter 2
The key to successful strategic risk management is the ability to identify those risks that
are embedded in the organization’s business strategy that are potentially the most
consequential. Focusing on strategic risks serves as a filter for management and boards
of directors to reduce the breadth of the risk playing field and ensure that they are
focused on the right risks.
34
35
Chapter 2
A strategic risk mindset should also consider the “upside” of risk. 24 For example,
Target sidestepped the competitive threat from Wal-Mart by focusing on a customer
segment different from Wal-Mart’s and achieved profitable growth opportunities in the
process. As another example, Samsung confronted with serious brand erosion and
commoditization risk turned its attention to build on product innovation, speed to
market and a strong brand to turn a position of weakness into a position of market
strength.
Risk can include loss of tangible assets, and it can also mean the potential loss of one of
the company’s most valuable assets—its reputation.25 The H.J. Heinz Company has
centered its enterprise risk management function around supporting an ultimate goal of
protecting the Heinz reputation. In fact, its ERM program is formally known within as
“Enterprise Reputation and Risk Management (or ER2M).” Heinz’s ER2M helps enable
the company to meet two primary reputation related goals: to further support doing the
common thing uncommonly well and to help Heinz become the most trusted packaged
23
This section is adapted from Frigo, Mark L. “When Strategy and ERM Meet,” Strategic Finance,
January 2008.
24
See Slywotzky, Adrian, The Upside of Risk: The 7 Strategies for Turning Big Threats Into Growth
Breakthroughs, Crown Business, 2007.
25
For a discussion on the importance of reputation risk management, see the article by Robert Eccles,
Scott Newquist, and Roland Schatz titled “Reputation and Its Risks,” Harvard Business Review, February
2007.
36
food company. To help management see the importance of thinking about risk and
reputation, Heinz defines risks as “anything that can prevent the company from
achieving its objectives.” They recognize that any event that affects the Heinz reputation
in the food industry will directly impact its ability to achieve its objectives.
Ultimately, strategic risk management and ERM need to be connected with the potential
impact on shareholder value. Effective strategic risk management should provide a way
for identifying and evaluating how a wide range of possible events and scenarios will
impact a business’s strategy execution, including the impact on the assets and
shareholder value of the company. That’s how risk management is positioned at the
Dow Chemical Company. The objective of effective enterprise risk management at Dow
is to improve management’s ability to run its business under the view that if they can
manage risks better, they can be more competitive. Management and the board realize
they have the responsibility to pursue opportunities, which will require the assumption
of risks. They seek to assume those risks in a well-managed, controlled manner that
recognizes the reality that as new strategies are created, new risks arise that need to be
managed.
The Return Driven Strategy framework provides a way to evaluate the strategic risks of
a company from the perspectives of shareholder value risk, financial reporting risk,
governance risk, customer and market risk, operations risk, innovation risk, brand risk,
partnering risk, supply chain risk, employee engagement risk; R&D risk, and
communications risk. It also provides a useful framework for understanding the cause-
and-effect linkages in critical risk scenarios and explains how those scenarios would
play out in the business strategy and impact profitability, growth, and shareholder
value.26
26
For more about Return Driven Strategy, see Mark L. Frigo and Joel Litman, Driven: Business Strategy,
Human Actions and the Creation of Wealth, Strategy and Execution, 2008 and see
www.returndriven.com.
37
Chapter 2
38
One of the challenges facing management teams is how to link business plans and
enterprise risk management. As executives and directors review plans and strategies,
they can use three approaches to improve ERM with the ultimate goal of protecting
shareholder value and corporate assets.
There are three approaches for effective strategic risk management to consider: (1) a
strategic risk assessment process, (2) a process to identify and protect Genuine Assets
that are at risk, and (3) strategic risk monitoring and performance measurement.
Here are some questions to address during a strategic risk assessment process:
• What events or scenarios could create significant downside risk in your
business strategy and plans?
27
See article by Mark L. Frigo, “When Strategy and ERM Meet” Strategic Finance, January 2008
39
Chapter 2
• What key assumptions have been made about the viability of specific
strategic initiatives and what ranges of possible scenarios exist
surrounding the variability inherent in these assumptions?
• What is our appetite surrounding certain strategies and their associated
ranges of key risk exposures? What is the worst case scenario
surrounding each strategy and would the entity be able to survive certain
risk events?
• What countermeasures have been developed to address these risk
scenarios and events?
• Has the company considered the upside of risk and how it plans to realize
the opportunities?
• What are the roles of the CFO, general counsel, chief risk officer (CRO),
internal audit, and others in assessing and managing the threats and
opportunities in your plans and business strategy?
• How is enterprise risk management incorporated and embedded in your
plans and business strategy?
• What performance measures and key risk indicators are you monitoring
to continuously assess and manage strategic business risk?
There are several approaches to building a strategic risk management process. Several
are described next.
Risk Assessments--One approach is to regularly assess strategic risks from three
perspectives: risks, opportunities, and capabilities (ROC). Risks are about risk of loss--
the downside of risk, such as loss of revenue or loss of assets. Opportunities are about
the upside of risk, such as opportunities for gains in revenue, profitability, and
shareholder value. Capabilities are about distinctive strengths of an organization that
can be used to manage the risks and opportunities.
Tools for Risk Assessment--There are many tools that can be useful in strategic
risk assessment, including brainstorming, analysis of loss data, self-assessments,
facilitated workshops, SWOT (strengths, weaknesses, opportunities, threats) analysis,
risk questionnaires and surveys, scenario analysis, and other tools.
Competitive Intelligence--The area of competitive intelligence (CI) can be a
valuable part of strategic risk management. CI is an integral component of fact-based
strategic planning processes. It should definitely be part of strategic risk management
and ERM. “The ethical collection and analysis of CI can reduce the risk associated
with strategic decision making” says Gary Plaster of the Landmark Group and a
founding member of the Society of Competitive Intelligence Professionals. Around 400
BC, Sun-Tzu in The Art of War wrote “Keep your friends close and your enemies
closer” which is one way of thinking about CI. For example, pharmaceutical
companies are vigilant about being at trade shows and scientific meetings, and they
40
monitor clinical trials in the industry. “War games” are used at pharmaceutical
companies like Wyeth to develop plans to counter potential market moves by
competitors. Competitive intelligence is an asset that can be used to manage customer
and market risks.
Corporate Sustainability Risk--One of the areas often overlooked in risk
management is related to corporate sustainability and corporate social responsibility
(CSR). Connecting strategy and CSR is a challenge for executive teams, as Debby
Bielak, Sheila Bonini, and Jeremy Oppenheim wrote in their October 2007 article,
“CEOs on Strategy and Social Issues,” in The McKinsey Quarterly. The risks and
opportunities facing companies in the area of corporate sustainability are more complex
and have greater potential impact than ever before, and senior executives, board
members, and managers are seeking better ways to manage these challenges and
opportunities. In his book Making Sustainability Work, Marc Epstein presents a
definition for corporate sustainability that’s useful in strategic risk management. He
focuses on nine principles of sustainability: ethics, governance, transparency, business
relationships, financial return, community involvement/economic development, value of
products and services, employment practices, and protection of the environment. Each
of these areas can be assessed as part of strategic risk management. For example,
changes in environmental regulations and expectation of environmental standards for
companies in a global business environment should be considered in risk assessment
and risk management strategies.
Risk Transfer and Retention Strategies--One of the basic countermeasures for
managing and mitigating risk involves risk transfer and retention strategies. After
identifying critical risk scenarios, which include the potential effect on company assets
and shareholder value, management must determine how much should be retained or
transferred. The risk management strategy should consider whether to protect corporate
assets by purchasing insurance, self-insuring, or creating a captive. This assessment will
require a deep understanding of the types and limits of insurance and consideration of
emerging legal, regulatory, and political trends; damage awards; geographic locations;
available insurance products; and options as well as coverage law.
28
For an discussion on Genuine Assets, see Chapter 12 “Genuine Assets” in Frigo, Mark L. and Joel
Litman, Driven: Business Strategy, Human Actions and the Creation of Wealth, Strategy and Execution
(2008).
41
Chapter 2
Genuine Assets are the tangible and intangible resources, capabilities, and traits that
make an organization and its offerings unique, such as employee expertise, brand,
reputation, etc. As mentioned, some Genuine Assets appear on the balance sheet, but
many don’t. As the “building blocks” of strategy, Genuine Assets form the basis for
creating sustainable competitive advantages. And only through these advantages can
you plan and execute business strategy that leads to higher returns, higher growth, and,
ultimately, increased market value.
When identifying these assets, management should be very specific as to what the
Genuine Asset is. They should think specifically about how it allows the company to
accomplish its strategy in ways other firms couldn’t, thereby leading to higher
performance. How difficult would it be for another firm to develop a similar Genuine
Asset, allowing it to copy the activity that led to high performance? How long would it
take? How much money would it cost?
42
Physical
Value Chain Relationships & Specialized or well-located facilities
Intelligence Specialized or well-located plants or distribution
Unique partners
Alliances Financial
Key vendors Deep pockets, CASH
Vendor Intelligence, Communication Access to capital
Unique government relationships Financial strategy that fits the organization
To help identify and manage the risk to Genuine Assets, management should ask three
questions:
1. What are the most valuable and unique capabilities and resources (Genuine
Assets) of the company?
2. What scenarios and events could put the most valuable Genuine Assets at risk?
3. What countermeasures can be developed to protect these assets?
43
Chapter 2
the information on a $20 storage devise or a $1,000 laptop, if not protected, could result
in potential loss of customers, corporate reputation and shareholder value.
Some Genuine Assets can support and be part of an effective risk management strategy
and can help protect a company against risks. For example, having a “Plan B” in place
for potential disruptions in critical parts of the supply chain is an example of a Genuine
Asset for effective strategic risk management. Another example is employees having a
risk mind-set and risk attitude that support the organization’s strategy and risk appetite.
44
Introduction
Understanding and managing an organization's risks has becoming an increasingly
important part of governance processes and the role of the director. The activity
commonly referred to as “risk management” has continued to evolve and become more
recognized as a necessary part of an organizations overall governance process. Risk
management had its roots in the financial services industry but today it has found
applicability across all industries. This evolution has also included the awareness that,
while there are many risks faced by an organization on a day-to-day basis, the
organization’s strategic risks are the real purview and focus of directors. To help
management and directors move up the learning curve on risk management, this article
discusses some of the basic concepts of risk management, helps define strategic risk
management and offers practical recommendations for directors on these important
topics.
Over the past few years, the concept of risk management as a separate activity has
developed and moved from a conceptual idea to become a more acknowledged part of
an organizations’ governance process. For many organizations, “risk management” had
been a term used solely to describe the organization’s process of obtaining insurance to
cover certain insurable risks. Risk management functions, focused on broader enterprise
risks first became more evident in the financial services industry in the 1980’s as those
organizations took on various trading and market risks. During the 2000’s, the concept
and activities of risk management functions evolved significantly as evidenced by these
four events.
45
Chapter 2
These events made it clear that it is no longer sufficient for management to just say that
they managed risks every day. For example, Moody’s Special Comment indicates that,
“Moody’s set high expectations for boards’ role in shaping a firm’s risk appetite and
ensuring a proper risk management framework is in place.” There are clear needs for
organizations to acknowledge that risk management has to be a key governance activity,
up to and including the directors. Additionally, there is a corresponding need for
transparency around the risk management processes. Particularly given the focus of the
rating agencies, directors must insist that, if their organizations are not moving forward
on risk management on some basis, management begin to develop an approach to risk
management.
For this to occur, senior management and the directors need to move up a learning curve
on risk management, rather that attempting to leap from having no formal risk
management processes or function to a fully implemented enterprise risk management
function. Our observations from dealing with a number of organizations and their
directors are that systematically moving up the learning curve, rather than trying to leap
frog too far too fast, is a critical success factor in successfully evolving an organization's
risk management processes. The mantra should be to “get moving, but keep it simple.”
Taking small, understandable steps is important to keep everyone coming up the curve
together as is the need to keep moving up from one level to the next.
46
focus on. This perspective can help the directors ensure that their valuable time and
efforts are focused at the right areas and risks.
Clearly then, one of the key challenges for directors is to understand the real strategic
risks that could impact shareholder value and the risk management processes around
those strategic risks. That requires a process between management and the directors to
identify and agree on those critical risks that can potentially have the most impact on
stakeholder value. This also must be a manageable and understandable set of risks.
Generating longs lists of possible risks events and page after page of risks and events,
while real, may be more confusing and cloud the identification of the most critical risks.
Applying the concept of strategic risk management, organizations recognize that while
many risks have the potential to cost the organization some money, certain risks have
the potential to significantly impact shareholder value. Those are the risks that should be
on the radar of the directors. To assist directors and management in identifying real
strategic risks, some organizations use a framework, such as the Return Driven Strategy
framework described below.
47
Chapter 2
Strategic
-Proactive board and
senior management
Aware involvement
-Board and senior -Risk managed and
management support assessed across entire
Reactive -Risk leaders identified organization using a
SRM framework
-Lack of Board or senior -Periodic risk profiling
management emphasis on risk -Common language and
-Key risks defined in approach used and
-No common risk language common vocabulary understood
-Stove-pipe risk management -Recognized need for -Continuous and Real-
ERM time monitoring and
-Ad hoc approach
analysis of risk portfolio
-Missing coverage of risk areas
-Strategy and
Performance Measures
aligned with Risk
Management
Directors should consider starting with some simple exercises to identify and understand
the organization’s strategic risks and the resulting composite risk profile. Some
organizations have used meetings of the board or with management to develop and
agree on a “top ten” list of strategic risks. Others have used their internal or external
auditors to assist them in developing and prioritizing lists of the key strategic risks.
Another good approach is to take the organizations strategic plan and “mirror” it with an
analysis of the risks associated with each major activity of the plan. To help frame such
discussions, some organizations find it useful to work off a framework, such as the
Return Driven Strategy, to give them a way to systematically work through the process.
The Return Driven Strategy framework defines a set of tenets and foundations which
fully describes the business strategy and activities that drive the best performing
companies in the world. Related to each tenet are risks that form a strategic risk
framework. This framework allows management and directors to hone in on key risks
that could destroy shareholder value while considering the upside risk in terms of
opportunities, thereby using it as a strategic risk management framework.
48
Once the directors and senior management have developed their initial set of strategic
risks, they should consider activities that will assist them to better understand the risks
and related mitigation activities. For example, a standing agenda item may be added to
their board or audit committee agenda for risk management. This time could be used for
more detailed presentations by management on how individual strategic risks that have
been identified are mitigated and monitored. For example, one audit committee
developed a template that business leaders use to develop presentations to discuss the
key risks in their businesses. The use of the template ensures consistency of the
presentations and keeps the discussions focused in the areas of highest interest. These
discussions include critical points such as;
These types of presentations serve both to enhance the education and understanding of
the directors while bringing additional transparency to the organization’s risk
management processes.
49
Chapter 2
The identification of the key strategic risks also enables management and the directors
to move into the discussion and articulation of the organization’s risk appetite. The
Moody’s Special Comment highlights that, “ Best practice call for the risk appetite to be
clearly and explicitly identified in terms of the types of risks that the firm is ready to
retain and the total exposure it is comfortable with.” The discussion and setting of the
risk appetite can be both an enlightening and difficult corporate governance initiative.
We observe that too few organizations have gone through this exercise and have an
informed understanding of their risk appetites.
Risk management processes are those processes that an organization uses to identify,
mitigate and manage risks. Often, as organizations begin looking at their risk
management processes, they find that the processes are immature or informal. In these
situations, the COSO ERM Integrated Framework is a useful tool to help identity gaps
in risk management processes and opportunities to enhance existing processes. Again,
for those organizations just moving into risk management, a critical success factor is to
keep the processes and resulting reporting simple and understandable. As the
organization’s risk processes evolve, you can move to more complex processes and
reporting. In the beginning, simple exercises like compiling a list of the "top 10 risks
facing the organization" can an effective way to get the topic on the table. A periodic
meeting to review and update the list may also be an effective way to refresh the list and
expand the topics.
Directors should also consider where the risk management activities should be
conducted and what the right level of resources should be. Some use the audit
committee and seek to leverage the work of their internal and external auditors. Other
organizations have formed separate risk committees of the board, to take some of the
workload off the audit committee and facilitate a more in depth focus on risk
management. Management should also discuss with the directors how the risk
management process is structured and managed within the organization and whether a
separate ERM function is appropriate or if risk management can be conducted through
another corporate function. These discussions also should include how risk management
is handled or imbedded into the lines business activities, to create an entity wide risk
management culture.
Great Expectations
Directors need to challenge themselves and their organizations to move up the risk
management learning curve. The complexities of the world today and the “raising of the
bar” from a corporate governance standpoint will both demand that directors and
management devote more time and attention to risk management activities. There are
50
great expectations on the part of directors to manage strategic risks. However, while
the need is there to get moving, organizations need to acknowledge that they are moving
up a learning curve. "Keep it simple” is the rule of the day to get started. Directors will
need to focus their limited time on strategic risks, and ensure that the organization has
the necessary awareness and management activities around those key risks.
Continuing evolution of the process will ensure that expectations are met both internally
and externally as ERM increasingly takes hold.
Page 15
© Copyright Dr. Mark L. Frigo 2010 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
51
Chapter 2
Page 16
© Copyright Dr. Mark L. Frigo 2010 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
Page 17
© Copyright Dr. Mark L. Frigo 2010 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
52
Page 18
© Copyright Dr. Mark L. Frigo 2010 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
• Info sharing and flows may be most critical factor for some
organizations ability to avoid or minimize risks
Page 19
© Copyright Dr. Mark L. Frigo 2010 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
53
Chapter 2
Page 20
© Copyright Dr. Mark L. Frigo 2010 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
Page 21
© Copyright Dr. Mark L. Frigo 2010 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
54
55
Chapter 3
Rising Expectations
Enterprise risk management (ERM) has become top priority for directors and senior
management. In various ways, investors, regulators, rating agencies, employees and
corporate activists have all raised their expectations for organizations around how risk is
understood and managed. Rising expectations for better risk management are reflected
in a recent global survey of enterprise risk management in the insurance industry
conducted by PricewaterhouseCoopers which identified increasing stakeholder scrutiny
as a key driver in the recent development of enterprise risk management and noted that
the bar is set to rise further in coming years.29
These growing expectations also focus on more than just the general process of risk
management or general, legalistic risk discussions in financial disclosures. With the
recent major business failures, these expectations are more and more aimed at the core
issue of whether management and the directors understand fully and are managing
effectively the organization’s key strategic risks arising from the organization’s core
business strategy.
Responding to these expectations can take many different forms; from creating formal
enterprise risk management functions to more informal discussions and initiatives.
However, any initiative into the broad topic of “risk” has the possibility of literally
burying the participants with long lists of risks or events that the organization is exposed
to and blurring the focus of both management and the directors. Long lists of risks can
also mask those risks that are most significant to the organization and its ability to create
value for its stakeholders.
29
“Does ERM Matter?” Report by PricewaterhouseCoopers, June, 2008
30
“Beasley, Mark S. and Mark L. Frigo, “Strategic Risk Management: Creating and Protecting Value”
Strategic Finance, May 2007
56
The key to successful strategic risk management is the ability to identify those risks that
are embedded in the organization’s business strategy that are potentially the most
consequential. This linkage of business strategy to the resulting strategic risk is critical.
However, in some organizations, while it may be possible to identify strategic risks
simply through informal or formal discussions, that type of approach may be hit or miss
and leave open the possibility of missing a critical risk, creating dangerous “blind spots”
in risk monitoring and risk management. To better enable a holistic analysis of strategic
risk, a tool or framework that would facilitate the analysis, understanding and discussion
of critical strategic risks would be most helpful.
Return Driven Strategy is a proven framework that describes the pattern of strategic
activities shown to drive superior corporate performance. The framework has been used
and vetted by many organizations as an effective way to develop and analyze business
strategies. The key tenets and foundations of the Return Driven Strategy also can be
viewed from the perspective their associated risks. Each tenet and foundation presents a
type or types of risks that are related to that specific strategic activity. When viewed
through this lens, the result is a Strategic Risk Management Framework that mirrors the
Return Driven Strategy and can also be used to identify the strategic risks in an
organization’s business strategy. Beyond the identification of strategic risks, this
framework can assist in the articulation of the organization’s risk profile and risk
appetite. In fact, the first tenet of Return Driven Strategy, “ethically maximize wealth”
requires boards and management to define shareholder value creation objectives and
define an acceptable level of risk in doing so.31
This chapter presents the Strategic Risk Management Framework (derived from the
Return Driven Strategy framework) and demonstrates its use a tool for strategic risk
management.
31
Frigo, Mark L. and Joel Litman, Driven: Business Strategy, Human Actions and the Creation of Wealth,
Strategy and Execution, 2008 p. 29
32
Enterprise Risk Management: Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate
Ratings (May 7, 2008).
57
Chapter 3
Management’s view of the most consequential risk the firm faces, their likelihood
and potential effect of credit,
The frequency and nature of updating the identification of these top risks.
The influence of risk sensitivity on liability management and financing decisions;
and
The role of risk management in strategic decision making.
The critical nature of strategic risk management was also discussed recently in a speech
by then Governor of the Federal Reserve System Randall S. Kroszner in October of
2008. In his remarks, Governor Kroszner commented:33
“Risk management needs to be interwoven into all aspects of the firm’s business
and should be part of the calculus for all decision-making. Strategic decisions
about what activities to undertake should not be made unless senior management
understands the risks involved….”
Consistent with Governor Kroszner’s comments are findings in a recent issue of The
Bulletin, Protiviti listed as one of their “Ten Common Risk Management Failures,” not
integrating risk management with strategy setting and performance management. 34
According to Protiviti, “to avoid this failure, management should implement an
integrated approach and discipline to deploy strategy and manage the associated risks.”
The challenge then for directors and senior management, is to identify, among the
plethora of risks, those risks that are really strategic in exposure and are critical to the
success of the business. This challenge drives directly into the linkage and
understanding of an organization’s basic business strategy and the risks embedded in it.
Information Sharing
Another developing best practice, information sharing, was identified in a study entitled
“Observations on Risk Management Practices During the Recent Market Turbulence”
released by the Senior Supervisory Group (SSG) in March of 2008, identified effective
firm-wide identification and analysis of risk as one of four firm-wide practices that
differentiated performance.35 That study observed that, “…firms that performed well
33
“Strategic Risk Management in an Interconnected World,” speech by Governor Randall S. Kroszner of
the Federal Reserve System at the Risk Management Association Annual Risk Management Conference,
Baltimore, Maryland, October 20,2008
34
“Ten Common Risk Management Failures and How to Avoid Them” The Bulletin, volume 3, issue 6,
Protiviti
35
“Observations on Risk Management Practices during the Recent Market Turbulence,” report issued by
the Senior Supervisors Group, March 6, 2008
58
through year-end 2007 generally shared quantitative and qualitative information more
effectively across the organization.”
Transparency
A further part of this challenge is transparency; maintaining open and ongoing dialog
around these key topics. The SSG study also observed that in firms that experienced
greater difficulties, “….business line and senior managers did not discuss promptly
among themselves and with senior executives, the firm’s risks in light of evolving
conditions in the marketplace.”
To assist management and directors to address strategic risks, a framework that would
facilitate the identification, understanding and communication of the organization’s
strategic risks, would be valuable. Since the focus is on strategic risks, building a
framework off a business strategy framework would facilitate the direct linkage between
strategy and strategic risk.
The Return Driven Strategy framework is composed of 11 core tenets and three
foundations that together form a hierarchy of interrelated activities that companies must
perform to deliver superior performance. The framework has been used by boards of
directors, executives, management teams and educators to assess and develop strategy,
communicate strategy, align and leverage execution frameworks and to manage risks.
59
Chapter 3
60
For example, to compete in the global market place, more and more organizations are
entering into new business combinations such as joint ventures or investments often in
developing countries. This approach may be core to the organizations future growth.
However, while much effort may be focused at the mechanics of structuring deals and
investments, the questions arise as to the organizations understanding of the related
strategic risks from these activities. The Strategic Risk Management framework
includes consideration of Partnering Risk would point to potential risks to the
organization arising from inappropriate, ineffective or unethical activities by its business
partners. These types of risk might not be identified in traditional risk assessment
processes. Further, the comprehensive nature of the Strategic Risk Management
framework facilitates an integrated look at the organizations strategic risks including the
identification and analysis of the interconnections and dependencies of the various risks
to each other.
Again, in our example, a joint venture may open markets and allow for competitive cost
structures, but the exposure the partner presents to brand, reputation, and the ethics of
the organization must also be considered as risks.
61
Chapter 3
The organization could then further tailor its own Strategic Risk Management
Framework and begin to formalize its strategic risk management process, including
consideration of the frequency of updating the strategic risk assessment. Combined, the
two frameworks form an effective tool to assess the organization’s strategy and the
embedded risks. Aligning the organizations risk appetite and strategy is a basic
component of Enterprise Risk Management as described by COSO. According to
COSO, “Management considers the entity’s risk appetite in evaluating strategic
alternatives, setting related objectives, and developing mechanisms to mange related
risks.”
Risk
Risk Risk
Risk
Capacity
Capacity Appetite
Tolerance
Determination
of risk appetite
Risk
Risk
Profile
Profile
© Copyright Dr. Mark L. Frigo 2010 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
62
63
Chapter 3
64
65
Chapter 3
66
67
Chapter 3
68
69
Chapter 4
36
From Frigo, Mark L. and Richard J. Anderson, Strategic Risk Management: A Primer for
Directors and Management Teams (2009) available for order online at
http://www.lulu.com/content/7245785. The book DRIVEN is available on Amazon.com
70
71
Chapter 4
We would now like to discuss each of the strategic risk categories in more
detail to demonstrate their applicability and usage.
72
In assessing its exposure to this type of strategic risk, the organization must
look objectively at itself and consider whether, in reality, it has
established and nurtured an ethical culture and not just mouthed the
words. The landscape is littered with failed organizations (think Enron)
that had written and published glowing statements on their ethics but
really did not come close to living the words.
Key Questions;
- Have tangible steps been taken to establish and communicate
the expected culture?
- Is ongoing training conducted to reinforce the ethical culture?
- Are surveys or assessments conducted to test the strength of the
culture?
- Has the organization conducted scenario analysis to identify
potential risk events?
- Are compensation and incentives aligned with protecting and
creating shareholder value?
- Are corporate governance and controls aligned with protecting
and creating shareholder value/
73
Chapter 4
Key Questions;
- Has the organization a clear understanding of who its customers
are and why they do business with the organization?
- Are processes in place to capture and analyze customer data?
- Does the organization have a view of what the current and future
unmet needs of its customer are?
- Is customer/need assessment a required part of any new strategic
initiative?
- To what extent do the company’s offerings fulfill otherwise unmet
customer needs vs. commoditized needs?
- Are customer needs being fulfilled by the organization increasing,
decreasing or stable?
74
Customer Risk
Definition
75
Chapter 4
Key Questions;
- Does the organization have a demographic profile of its customer
base?
- Are processes in place to periodically update the demographic
profile?
- Is someone in the organization responsible to monitor
demographic data and shifts?
- Does the organization segment customer groups with similar
customer needs?
- Are the number of customers served by the organization
increasing, decreasing or stable?
- Does the organization monitor the factors that affect the ability of
customers to buy you offerings?
76
In tough economic times, cost cutting initiatives can raise the profile of
this risk. For example, consolidating locations or suppliers may give rise to
increased exposure to this risk. Other areas where this risk has taken
strategic implications are current trends in outsourcing and off-shoring.
An organization may find itself exposed to significant operations for a
third-party risk as a result of these initiatives.
Key Questions:
- Is someone in the organization responsible for monitoring
Operations Risk?
- Are operating metrics and processes in place to monitor the
quality and efficiency of operations?
- Has the organization assessed its operational exposure to third-
parties?
- Are trigger points in place to identify potential problems as they
develop?
- Are appropriate contingency and back up plans in place with key
operations and suppliers?
77
Chapter 4
78
Key Questions;
- Is someone in the organization responsible for monitoring and
protecting the brand?
- Is an executive responsible for reputation risk?
- Are actions plans in place to respond to events that threaten the
reputation?
- Has the organization assessed the exposure to its brand from third-
parties?
- Have scenario analysis been conducted to identify possible threats
to the brand?
- Are action plans in place to respond to events that threaten the
brand?
- Does the organization continually monitor its reputation and
brand?
- How well is the brand of the organization make the connection
between your offerings and your customers’ otherwise unmet
needs?
79
Chapter 4
Often, these strategic partnering activities are being undertaken with the
objectives of reducing the organizations cost structures by moving
processes to either lower cost locations or having the process performed
by third parties who specialize in the activities as a core competence.
When seeking these cost advantages, organizations must also consider
carefully the risk implications of the partnering initiative and how those
risks will be monitored and mitigated. These types of risk may include
both the activities of the third-party, as well as the dependencies the
organization has with that third party. Clearly, a lower cost structure that
significantly increases an organization’s risk profile is not desirable.
Timing is also a critical factor in addressing this area of strategic risk. The
risks, monitoring and mitigation activities must be considered and
addressed during the negotiating phase of a relationship. Once the
80
Key Questions;
- Has the organization identified all its key strategic partners?
- Are appropriate performance monitoring and measurement
processes in place to monitor the performance of third-parties?
- Do contracts appropriately address the performance criteria
including unethical activities that are required from third-parties?
- Are contingency plans in place for each strategic partner?
- Is an assessment of Partnering Risk required for any proposed
initiative with a new strategic partner?
8-Value Chain Risk: The risk to the organization from the failure
or inability to perform by any key element
of its value chain.
The failure of any key element of its value chain is a clear strategic risk.
For example, the failure of a key supplier in the supply chain can expose
the organization to a significant loss of business. Or, poor or even
negligent or illegal activities by a key supplier can also have a huge
negative impact on the organization.
Another element of this risk can be the lack of efficiencies in the value
chain. Today’s global marketplace, with its ability to shift processes to
lower cost environments, has placed an increased premium on cost
effectiveness and accordingly, the risk associated with it.
The organization must also consider both the internal and external
elements of its value chain including not only its core operating
81
Chapter 4
processes but also support functions such as, finance, control or legal.
Key Questions;
- Are appropriate processes in place to monitor performance
across the organization’s value chain and supply chain?
- Are appropriate back up plans and redundancies in place for key
elements of the value chain?
- Does the assessment process for cost cutting initiatives include
assessment of the impacts on other strategy tenets?
- Is there an ongoing, continuous improvement process to ensure
that operational processes are reviewed to increase their
efficiency?
The first of these areas is the risk of being unable to attract or manage a
more diverse workforce in the face of changing demographics. In the US,
as the baby boomer population moves into its retirement phase,
organizations will increasing be unable to rely on their traditional
methods of attracting talent. They will be faced with the challenge of
attracting and then managing a more diverse workforce in order to fill
their human capital needs. There simply will not an adequate supply of
traditional talent.
82
labor pool in some countries may not have the risk and control
orientation and education that is expected.
Key Questions;
- Is an executive of the organization responsible for overseeing
Employee Engagement Risk?
- Are appropriate processes in place to monitor this risk?
- Are benefit and compensation plans reviews for consistency with
the organizations strategic goals and objectives?
- Do the employees understand the strategy of the organization and
how they contribute to achieving it?
- Does the organization have the right incentives to create
alignment between employee engagement and the
organizations’ strategy?
- Does the organization provide growth and development
opportunities for its employees that enhance employee
engagement toward achievement of the organizations’ strategy?
Put simply, this risk emphasizes the point that strategies need both
monitoring and “Plan B’s.” Monitoring is addressed more specifically as
one of the foundations. The focus with Planning Risk, is the need for
alternatives or contingency plans to address unanticipated changes
83
Chapter 4
impacting the strategy. As generals are aware that battles are rarely
fought exactly as they had planned them, so too, businesses need to
consider the risk that their strategies will not be implemented exactly as
planned. Mitigating this risk is also a pro-active not a reactive situation.
Businesses need to consider and think through options before events
place them in a situation where they do not have luxury to think but are
in a critical reactive stance.
Key Questions;
- Does the organization’s strategic planning process require the
presentation and inclusion of options and alternatives?
- Does the strategic planning process include periodic assessments
to identify and respond to unanticipated events?
- Does the organization have new options in the pipeline to support
future growth?
84
Key Questions;
- Are appropriate ongoing communications conducted to
communicate and reinforce the organization’s strategy and
culture?
- Do communications processes support effective two-way
communications?
- Are communications processes broad enough and include
appropriate external stakeholders?
- Does the organization test or assess the effectiveness of its
communication’s processes?
- Does the organization have a consistent internal and external
message which reflects its core values and strategy?
- Does the organization monitor when and how it is being
mentioned in the press and Internet, including social networking
platforms and Blogs?
- Does the organization proactively communicate its brand and
core values?
- Are investor relations activities aligned with drivers of strategic
valuation (return on invested capital; capital efficient profitable
growth)?
The Foundations
Genuine Assets
A-Genuine Assets Risk: The risk of the loss of value because of the
inability to create, protect and grow the
85
Chapter 4
Key Questions:
- Has the organization defined and inventoried its genuine assets?
- Has the organization assessed the adequacy of its controls to
protect its genuine assets?
- Has the organization identified genuine assets to grow or create as
part of its strategies?
Recent history has witnessed a number of large scale events that have
had significant negative impacts on organization. Some of these events
86
Key Questions:
- Are ongoing processes in place to identify emerging risks and
events?
- Is someone in the organization responsible to monitor emerging
risks?
- Are policies and practices in place to encourage information and
knowledge sharing across the organization to help identify
emerging risks and events?
- Are executive management and directors periodically informed or
emerging risks?
87
Chapter 4
Key Questions;
- Are processes in place to effectively monitor exposure to financial
market risks?
- Is someone in the organization responsible for monitoring and
managing Financial Market Risk?
- As appropriate analytical tools and techniques utilized to monitor
this exposure?
- Are appropriate action plans in place to respond to events in the
financial markets that threaten the organization’s ability to
execute its strategy?
- Has the organization considered exposure to systemic market
disruptions?
Key Questions:
88
Key Questions:
89
Chapter 4
A number of recent events, including major frauds, systemic risks, and the
changing legal and regulatory environment have combined to raise the
level of governance risk in many organizations. Investors, regulators, and
other third parties, such as rating agencies, are also seeking more
transparency around risk, control and governance processes. In the US,
the Sarbanes-Oxley Act has raised the focus on financial controls, but
recently other risk and control areas such as enterprise risk management
are receiving increased attention.
Addressing this risk area may also begin with an assessment or inventory
of exactly what the organization’s key governance processes are across
the down through the organization.
Key Questions;
- Has the organization defined its governance processes and
activities?
- Has the organization assessed the adequacy of its governance
processes?
- Are processes in place to identify and consider developing
practices in corporate governance?
90
Key Questions:
- If the organization reports under the Sarbanes-Oxley Act are
management and the directors satisfied with the effectiveness and
operations of the compliance efforts?
- If the organization does not come under SOX, has management
and the directors considered how to assess and monitor financial
reporting risks?
- Do the directors periodically receive information from the
organization’s external auditors on their views of the organization’s
controls over financial reporting?
91
Chapter 4
Key Questions;
- Hs the organization conducted an inventory to identify all critical
models and valuation tools?
- As policies in place requiring appropriate independent validation
of key models and tools?
- Have appropriate staff reviewed and approved the key
assumptions in the models?
- Do policies require appropriate controls over modifications and
generation of new tools?
Here again is an example of a more traditional area of risk that has taken
on more strategic implications. Traditionally, fraud risk has been viewed
by many as more or an operational or transaction related risk. However,
recent history has revealed a number of financial frauds of a size and
magnitude that they destroyed entire entities. World Com and Enron are
examples of this type of situation. As a direct result of those frauds, US
public companies who are reporting in accordance with the Sarbanes-
Oxley Act, must conduct a fraud risk assessment. Accordingly, Fraud Risk
must be considered as a strategic risk with potential to impact
shareholder value.
Fraud risk must also be assessment broader than just the financial fraud
implications. To assess its exposure to various types of fraud, an
92
Key Questions:
- Has the organization conducted a comprehensive fraud risk
assessment, or reviewed fraud assessments conducted by its
internal or external auditors?
- As appropriate processes in place to allow employees and
customers to communicate concerns about possible frauds, for
example whistleblower hotlines?
- Are processes in place to ensure that investigations of suspected
frauds are handled by appropriate parties?
- Is the organization in compliance with the requirements of
significant legal requirements such as the Foreign Corrupt Practices
Act and the Federal Sentencing Guidelines?
The following examples show the relationship between the tenets of Return Driven
Strategy and associated Strategic Risk.
93
Chapter 4
94
95
Chapter 4
96
97
Chapter 4
98
99
Chapter 4
100
101
Chapter 4
102
103
Chapter 4
104
Chapter 4
105
106
Chapter 4
107
108
Chapter 4
109
110
Chapter 4
111
112
Chapter 4
113
114
Chapter 4
115
116
Chapter 4
117
• Strategic Risk Assessment: A first step for improving risk management and
governance 116
• High-Level Work Plan for a Strategic Risk Assessment 125
118
119
Chapter 5
120
121
Chapter 5
122
123
Chapter 5
124
125
Chapter 5
126
127
Chapter 5
3- Data gathering
a. Consider how to use the RDS and SRM frameworks during stakeholder
data gathering
i. Determine format of data gathering from participants
ii. Develop interview briefing materials or surveys as appropriate
b. Determine stakeholder participants
i. Schedule stakeholder activities
c. Determine format for data capture and analysis
d. Execute stakeholder data gathering
e. Compile stakeholder data
128
129
Chapter 5
7- Communications
8- Plan execution
9- Project follow up
130
131
132
133
Chapter 6
134
135
Chapter 6
136
137
Chapter 6
138
139
Chapter 6
140
2
© Copyright 2009 by Mark L. Frigo and Richard J. Anderson
141
Chapter 6
3
© Copyright Mark L. Frigo 2008 - Do not copy or redistribute without express written consent of Dr. Mark©L.Copyright
Frigo 2009 by Mark L. Frigo and Richard J. Anderson
F
I C I I
N O N N
L T M S F. A
E P A N
G A L F T C
A U A E E E Other common
Functions identify T
L D I C processcould
and leverage Y
I N H S include;
common
T C O -Technology
processes,
E X -Issues tracking
technologies and
-Reporting
knowledge RISK ASSESSMENT
-Training
EMERGING RISK INDENTIFICATION
RISK/ CONTROL MONITORING (KRI’s)
4
© Copyright 2009 by Mark L. Frigo and Richard J. Anderson
© Copyright Mark L. Frigo 2008 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
142
Chapter 6
One of the results of the recent financial and economic turmoil in the US, has been a
growing focus on corporate governance and its related processes, capabilities and
functions. Directors, senior executives, risk and control managers, consultants and
various vendors are all dealing with various aspects of the corporate governance. In
particular, risk management and the theories, processes and tools related to it are
receiving significant attention. While not necessarily a new concepts, the current
heightened focus on these governance activities has created its own lexicon that is
leading to some confusions and misunderstandings. In some cases, new terms such as
“GRC” have arisen, without clear and consistent definitions. Some older terms, such as
“ERM” and “risk management” likewise have become the source of some confusion.
This article will attempt to clear up some of that confusion and give executives a
common base of understanding for this new governance terminology. Let’s start with
governance and “GRC.”
143
Chapter 6
“GRC” label is attached to a unit within the organization that is conducting controls
testing across the organization.
GRC is a way to address the “silos” that have developed in many organizations’ risk and
control units. However, it should not be viewed as an organization chart and is also not
simply a technology exercise. Technology may be an important enabler to affect the
leveraging of certain process and knowledge to realize the benefits of GRC, but it is
much more than just a technology effort. The Strategic GRC Framework, which was
presented in Strategic Finance in February, 2009 displays a frame work that is useful in
explaining these concepts. Executives are cautioned not to just purchase a “GRC tool”
or undertake a GRC initiative without a good understanding of the strategic GRC
framework and objectives for their organization.
144
not define any specific set of activities. It really constitutes a very generic description of
risk activities.
“Enterprise risk management” is a term normally associated with more formal processes
spanning an organization dealing with the organization’s risks. This term is formally
defined by COSO as:
“Enterprise risk management is a process, effected by an entity’s board of
directors, management and other personnel, applied in strategy setting and across
the enterprise, designed to identify potential events that may affect the entity,
and manage risks to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.”
This is an enterprise wide definition that is supported by the COSO Enterprise Risk
Management – Integrated Framework. That framework is a robust model encompassing
eight interrelated components that run across the entity and its units and four categories
of the organization’s objectives. Given the completeness and span of the COSO ERM
framework, it really represents a model endpoint of what a complete enterprise wide risk
management process would include. As such, organizations often start by implementing
certain of its components as they build their risk management activities rather than
trying to implement the complete COSO ERM framework at one time.
The COSO ERM definition and framework are very clear that they are describing
processes, not functional units. However, in practice, organizations have formed
operating units to establish or conduct their risk management activities, which go by the
name of ERM or enterprise risk management functions. This has added to the fog by
leading some to believe that “ERM” or enterprise risk activities mean a functional unit,
not the process definition established by COSO. We have heard executives comment
that they might be interested in starting enterprise risk activities but are not doing so
because they do not want to establish an ERM functional unit. Unfortunately, that
misunderstanding of the ERM term is not an isolated situation, again caused by the lack
of uniformity in the understanding of ERM. So, while some organizations may choose
to form a functional ERM unit to conduct their risk management activities, ERM is
really a process that can be implemented and conducted without forming a separate
functional unit.
What is Strategic Risk Management?
Strategic risk management is another term that is receiving a lot of attention. For
example, Standard and Poor’s uses the term in their 2008 announcement about
expanding their review process to include reviews of risk management activities at non-
financial companies. Strategic risk management is a sub-set of ERM. The COSO ERM
145
Chapter 6
146
147
Chapter 6
148
Chapter 7
The following is a short case study to demonstrate the use of both the Return Driven
Strategy framework and the related Strategic Risk Management framework. The case
discusses, at a high level, the strategy and strategic risks for Apple Computer, Inc.
(Apple). The case also demonstrates the sequence from strategy to strategic risks.
Exercises we conducted in both the classroom and in practice have shown the need to
understand and de-compose an organization’s strategy before attempting to describe its
strategic risks. In earlier work, we attempted to directly identify an organization’s
strategic risks, without de-composing its strategy. That work convinced us that it is
necessary to first describe and de-compose the strategy and then apply the Strategic Risk
Management framework to the strategy elements to get at the real strategic risks (as
shown below).
149
Chapter 7
Apple Background
Apple is a well recognized, public company that was founded in 1976. It produces
arrange of products including personal computers, portable digital music players, and
mobile communications devices. It also sells various software services, peripherals and
networking solutions. Apple has a reputation for being highly innovative and has
produced very successful products including the Macintosh computer, the iPod, and the
iPhone. Its 2008 revenues were $32.5 billion and it has over 30,000 employees. The
Apple brand is also highly linked with one of its founders, Steve Jobs.
Apple’s Strategy
Exhibit 1 below uses the Return Driven Strategy framework to display some of the key
elements of Apple’s business strategy based on their publicly available information. For
purposes of this illustration, certain key items are indicated. A more in-depth analysis
could go further into detail including comments on each of the strategy tenets and the
foundations. However, for this case, we have chosen certain key tenets including;
- Innovate offerings
- Fulfill Otherwise Unmet Needs
- Target Appropriate Customer Groups
- Brand Offerings
- Partner Deliberately
- Genuine Assets
The exhibit illustrates the specific areas of their strategy that relate to each tenet. For
example, Steve Jobs, employees, creativity and proprietary knowledge are listed as key
Genuine Assets. We have also noted that two tenets; Brand Offerings and Genuine
Assets are critical elements of their strategy.
150
Innovative Offerings
• Hardware, Software, Peripherals, Service & Internet
Fulfill Otherwise Unmet Needs
Offerings • Retail Stores - expand offering to appeal PC owners
• Continuous investment in R&D to drive innovation & • Highly focused research to determine customer wants.
cutting edge technologies • Products result of extensive research and strong design
Brand Offerings
• Unique design and development, create strong brand loyalty and
customer appeal
• A Brand is a company’s most valuable asset
Partner Deliberately
• Microsoft Office
• Education Sales – getting the customer “hooked”
Genuine Assets • iPhone Strategy – build a great product, allow AT&T to service contracts
• Steve Jobs
• Employees
• Creativity
• Proprietary knowledge
Page 1
Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
151
Chapter 7
• AT&T only
• Distribution Channel
challenges • Steve Jobs health – difficult to • Ability to attract and retain
substitute his leadership talent
• Protection of proprietary • Loss of Apple as preferred
knowledge employer
• Ability to attract a global
workforce
Page 2
Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
Summary
This quick case study demonstrates the direct linkage between strategy and strategic
risks, which can be developed using the Return Driven Strategy framework and the
related Strategic Risk Management framework. While we would expected that the
actual analysis of a company would be more in-depth than the example used, the
exhibits serve as a concise example of the use of the frameworks and the critical
sequence and linkage that they facilitate.
152
37
“Genentech Risk Management Case Study” Strategic Risk Management Lab working paper, DePaul
University, 2008
153
Chapter 7
Genentech
Genentech is among the world's South San Francisco Campus Site
leading biotech companies and is
considered by many to be the founder
of the biotechnology industry (stock
ticker - “DNA”).
The company has been using human
genetic information to discover,
develop, manufacture and
commercialize biotherapeutics that
address significant unmet medical
needs.
The company was initially an R&D
company with a little manufacturing
As the company moved toward more
manufacturing, its risk profile changed
154
Safety
Event Stock
Reroute
Reroute
Net Decrease in
Production
Excess
Capacity At Capacity
155
Chapter 7
Nokia quickly noticed the problem with the supply of the parts even before Philips told
them there was a real problem. They took fast action to address the situation once they
determined that the potential impact of the disruption in the supply of chips from the
Philips plant could translate into an inability to produce four million handsets,
representing 5% of the company’s sales at the time.
In contrast, Ericsson responded slowly and didn’t have alternative sourcing options. By
the time management realized the extent of the problem, they had nowhere else to turn
for several key parts. This partly stemmed from the company’s strategy in the mid-
1990s, when it simplified its supply chain to cut costs and in the process weakened its
supply backup. One manager at Ericsson said: “We did not have a Plan B.”
Underestimating the risk of the disruption in supply from the Philips plant and being
unable to manage the problem were major factors that led to Ericsson exiting the phone
headset production market in 2001.38
What lessons do these contrasting cases offer about integrating strategies and risk
management surrounding the supply-chain?39
Link the potential impact of supply chain disruptions to revenue and earnings to
prioritize and manage risk.
Build in the necessary levels of redundancy and backup and maintain supply
chain intelligence and relationships.
38
For more about this example, see “Trial by Fire: A Blaze in Albuquerque Sets Off Major Crisis for
Cell-Phone Giants” in the January 29, 2001, issue of The Wall Street Journal.
39
See article by Mark L. Frigo, “Strategic Risk Management: The New Core Competency” Balanced
Scorecard Report, January-February 2009
156
De-Risk Moves
Nokia Ericsson
• Within 2 days, Nokia noticed potential • Low level employees at Ericsson did not
disruption of supply chain and impact understand and communicate the
to 4 million handsets importance of the event.
• By the time they realized the potential
• Nokia Chairman and Philips CEO impact, Philips had guaranteed the
spoke immediately supply to Nokia
• Philips routed production to other • “We didn’t have a Plan B”
• No other suppliers were capable
plants and guaranteed supply to Nokia • In 2000, Ericsson announced a $1.8
• Nokia put in place a risk management billion loss in mobile phone division.
program across the supply chain
Philips
• Nokia is currently leading producers of
handsets. • Reported losses of $500 million
• Stock dropped by 14%
• Sold semi-conductor division
Page 52
© Copyright Dr. Mark L. Frigo 2009 - Do not copy or redistribute without express written consent of Dr. Mark L. Frigo
157
158
Introduction: The strategic risk management alignment guide (see example) is a useful
tool to frame a high-level discussion or analysis of the overall system for managing an
organization’s strategic risks. The guide presents a simple way to match basic risk
responsibilities and processes to the organization’s strategic risk categories. The
responsibilities and processes reflected on the grid are consistent with the overall
components of enterprise risk management as outlined in the COSO “Enterprise Risk
Management – Integrated Framework.” In addition, the guide can be helpful to boards
and senior management teams as they work to shape and articulate the organization’s
risk management culture. It has become increasingly clear that information sharing and
communication across the organization is a “best practice” in risk management. The
guide can be helpful in shaping and enhancing those processes.
The guide is not intended to be viewed as a “final product” or only tool that is needed
for risk management. Rather, the guide should be viewed as just one component of the
organization’s risk management processes. Many organizations find that there is
significant value in working through the guide as it forces a focus on specific actions
and responsibilities and presents and overall viewpoint. Often, the initial work through
the grid will result in the identification of inconsistencies across the processes. For
example, certain cells may initially end up blank while others may have multiple or
overlapping entries that lack clarity.
Given the dynamic nature of risk, the guide should ultimately be part of on-going
processes that includes periodic reviews and updates to the guide.
Structure of the Grid: A basic example of the strategic risk management alignment
guide is presented below for illustrative purposes. Each organization should tailor the
guide to best reflect its specific needs and situation.
159
Chapter 8
Application: Most organizations use a team approach for their initial analysis using the
guide. This team should include senior representatives of business units as well as the
various control, internal audit, risk and compliance functions. Participants should be
senior enough in the organization to have an enterprise wide perspective and
understanding of the organization’s strategic risks.
Often, a facilitated session or meeting is used to perform the initial completion of the
guide. At this point, the focus should be to determine objectively if the cells can be
completed or more work or clarity is needed. Follow up points from these initial efforts
may entail the following:
- Validation of completed cells. The team should validate what they believe to be
the correct information in each cell. For example, if they believe a specific
member of senior management is a risk owner, they should verify that with the
person to ensure that the member of management acknowledges both their
ownership of the risk and the related risk management activities.
- For cells with multiple entries, the team may need to clarify or prompt the
clarification of roles and responsibilities. One of the key outcomes of the guide
160
analysis should be clarity around the roles and responsibilities, so this becomes a
very important point for the team to focus on.
- For blank cells, the team needs to perform additional work to determine whether
there are processes or activities that they are not aware of, or whether the
analysis is pointing to items that will require senior management attention.
- The team should also take the opportunity to “sit back” and look at the guide to
try to identify opportunities to better rationalize activities and to look for
opportunities to foster better information sharing across the grid.
This initial analysis should result in a preliminary guide and a list of follow up items
that require attention or implementation. This may also be good time to “socialize” the
guide with the board and management to encourage better understanding of the
organization’s risk management processes.
As noted above, the guide must be viewed as part of an ongoing process, not a sole, one-
time event. The organization should consider how the guide and related processes can
be made dynamic, with periodic reviews and updates to ensure that both the processes
and risk categories remain current.
161
Introduction
Risk management is an activity that is continuing to evolve in both its techniques and in
its application. Differences in understanding and application are apparent as one looks
at different industry segments and also different countries. For example, larger
institutions in the financial services industry have had fully dedicated enterprise risk
management (ERM) functions for a number of years. Conversely, fully dedicated ERM
functions are not found as frequently in the manufacturing sector. Looking across
industries then, a range of risk management activities becomes apparent. Some
organizations are at early stages in the maturity of their risk activities while others are
developing and deploying leading or best practices in their functions.
Additionally, as noted earlier in the primer, organizations such as the rating agencies
like Standard & Poor’s and Moody’s, have released their views and evaluation criteria
on risk management activities and processes.
In this current environment, we observe that many organizations and their directors,
especially outside of the financial services industry, are seeking to expand their
understanding of risk management processes and how they should be applying them in
their particular situation. For some, this is an education process that involves both
increasing the personal understanding of management and the directors about risk
management and also understanding where, along the range of risk activities, they
believe their organization should be.
162
Enhanced and Best Practice. The four category names were selected simply to allow
for the presentation of four levels and they are not intended to represent or equate to any
specific recognized criteria or accepted standard. They merely provide descriptions of
wide ranges to facilitate analysis and discussion.
Also, while the tool displays Level 4 – “Best Practice” activities for each question, it
should not be assumed that every organization will desire or need to achieve that level
for every one of its risk management activities. As with any comparison to “best
practice” an organization must consider its specific situation, needs, and costs and then
decide which level of maturity and specific practices are most appropriate for them. The
specific organization’s size, complexity, resource capacity, and risk profile will need to
be considered in determining the most appropriate level of maturity for its risk
management processes.
The tool describes various levels of risk management practices grouped within two key
topical areas; Risk Management Culture and Governance and Strategic Risk
Management. These two topical areas of the diagnostic tool are also the key areas for
initial analysis for Standard & Poor’s in their reviews of risk management. Within each
of these broad areas, a series of key questions is posed, followed by a range of possible
risk management activities to respond to the question.
The final section of the diagnostic tool has a more detailed series of questions related to
in five topical areas; Risk Management Culture and Governance, Risk Appetite and
Tolerances, Risk Monitoring, Emerging risks, and Strategic Risk Management. These
questions allow for a deeper discussion in any of those specific areas.
Application
The diagnostic tool is intended to be used more to facilitate discussion than used as a
simple check-list. Discussion could be conducted at either the management level or the
board level. Realistically, management personnel may find it more beneficial for them
to use the tool first for their discussions and analysis as part of building their risk
management strategy and plans. This could be followed by presentations and
discussions with directors and the tool being used to display the levels of current and
proposed maturity for the organization.
163
Chapter 8
be useful here. This type of exercise is aimed at identifying two points on any maturity
curve or range; 1) the level of the organization’s current practices and, 2) the desired
level of maturity for those same practices. Once the desired state is known, a project
plan can then be developed to implement actions to close the gap and bring the
organization to the desired level.
Using the questions and diagnostic tool, it may be a relatively straight-forward process
to agree on the current state of the organization’s risk management processes in each
area. That establishes the current state baseline. The real work is then to discuss and
agree on the desired future state of what level the organization wants to move its
practices up to and also to identify the specific practices it wants to implement.
The maturity diagnostic can also be used as a starting point for a library of risk
management practices. As other or newer practices are identified, for example industry
specific practices, the tool can be expanded and its contents deepened and made more
company specific.
164
•No formal statement of •Informal / implied risk •Formal statement of risk •Formal, board approved
risk appetite and risk appetite. Risk appetite appetite that is regularly statement of risk
tolerances. decisions made on a referenced and used to appetite that includes
case-by- case basis. guide decisions and both risks taken and not
tolerances. to be taken.
•Some risk tolerances
established and used, •Risk tolerances •Risk tolerances are
but in a decentralized established for all risks clearly embedded in
fashion. and used with some planning and decision
centralized aggregation making processes.
and reporting of any
exceptions. •Risk tolerances
established for all risks
•Organization is not over and used with
reliant on any one centralized aggregation
specific risk methodology and reporting of risk
or model. levels and any exceptions
on a regular basis.
165
Chapter 8
•No clear responsibility •Responsibility for ERM •Clear responsibility for •Executive-level ERM
or accountability for not explicit / scattered ERM program (i.e. position (i.e. Chief Risk
ERM. across multiple Enterprise Risk Officer) with clear
individuals / functional Manager). responsibility for
•ERM staff too low level areas. maintaining and
or without any real voice •Accountability for authority for enforcing
in the organization. •Informal reporting participation in ERM by ERM program and
relationships to CEO, functional areas of policies.
Board, or Board business.
Committee. •Dedicated resources to
•Allocated resources to facilitate and sustain
facilitate and sustain ERM program.
ERM program.
•Independent reporting
•Dotted-line reporting relationship from ERM
relationship from ERM program to CEO, Board,
program to CEO, Board, or Board Committee.
or Board Committee.
•Ongoing, direct
communications
between CRO, CEO and
board.
•Ad hoc reporting of risks •Annual, disaggregated •Quarterly / monthly, •Near-real time
to senior management, reporting of risks to aggregated reporting of availability of aggregated
Board, or Board senior management, risks to senior risk reporting (including
Committee. Board, or Board management, Board, or exception notifications)
Committee. Board committee. to senior management,
Board, or Board
committee.
166
167
Chapter 8
168
•Management does not •Management has a view •Management and the •Management and the
have a clear and direct of some of the most board has a periodic board has a clear and
view of the most consequential risk the view of the most continuous view of the
consequential risk the firm faces their likelihood consequential risk the most consequential risks
firm faces, their and potential impact on firm faces, their the firm faces, their
likelihood and potential the firm’s performance. likelihood and potential likelihood and potential
impact on the firm’s impact on the firm’s impact on the firm’s
performance. performance. performance.
169
Chapter 8
b. What is the frequency and natures of updating the identification of these top
risks?
•The updating the •The updating the •A formal process •An ongoing process
identification of risk is identification of risk is exists for updating exists for updating
infrequent and ad sporadic but the the identification of the identification of
hoc, the nature of the nature of the updating risk on a frequent risk on a continuous
updating is not is comprehensive. basis and the nature basis and the nature
comprehensive or of the updating is of the updating is
strategic. comprehensive and comprehensive and
strategic. strategic using a
strategic risk
management
framework.
170
c. How does risk management affect the company’s financial decision making?
What is the influence of risk sensitivity on liability management and financing
decisions?
1-Weak 2-Adequate 3-Enhanced 4-Leading Practice
d. When developing strategic plans does the company use risk/ reward analysis
when allocating resources (e.g., capital, talent)?
171
Chapter 8
e. How does management reflect risk and reward for risk in strategic decision
making?
•Risk assessment and •Risk assessment and •Risk management •CRO has approval
management is not an management is part personnel participate authority and is an
integral part of of some strategic in most strategic integral part of
strategic decision decision making. decision making. strategic decision
making. making.
•Formal new product
policy established •CRO has the
requiring risk authority to prompt
assessment of new risk reviews of existing
products / initiatives products or initiatives.
•Risk measures and •Some risk measures •Risk measures and •Risk measures and
key risk indicators are and key risk indicators key risk indicators are key risk indicators are
not part of key are used in the part of key an integral part of the
performance organization. performance performance
measures used in the measures used in the measurement
organization. organization. processes used in the
organization and
monitored regularly.
172
Risk Monitoring
-- How does the company identify and control each major risk?
-- What are the company's risk limits for each major risk? How are they enforced?
-- How did the company manage losses in a recent loss event scenario?
-- What changes were made to risk-management procedures as a result of loss
experience?
-- What information about each major risk is shared with senior management and/or the
board of directors?
Emerging Risks
-- Does the organization have a formal, ongoing process to identify emerging risks or
risk events?
-- What does the company do to prepare for extreme disaster?
-- What types of disasters are of active concern to the company?
-- What are the company's stress testing practices?
-- What are the company's liquidity risk management practices?
-- What contingency plans has the company developed?
-- What environmental scanning techniques does the company use to anticipate the
emergence of extreme disasters?
173
Chapter 8
174
Appendix
175
Appendix A - Bibliography
Appendix A
Bibliography
Apgar, David. Risk Intelligence: Learning to Manage What We Don’t Know. Harvard
Business School Press, 2006
Beasley, Mark and Frigo, Mark L., “Strategic Risk Management: Creating and
Preserving Value”. Strategic Finance, May 2007
Beasley, Mark, Al Chen, Karen Nunez and Lorraine Wright. “Working Hand in Hand:
The Balanced Scorecard and Enterprise Risk Management”. Strategic Finance, March
2006
“Best Practices for a Board’s Role in Risk Oversight”, Moody’s Special Comment,
August, 2006
Bossidy, Larry and Ram Charan. Execution: The Discipline of Getting Things Done.
New York: Crown Business, 2002
Bruce, Brian R. and Bradshaw, Mark T., Analysts, Lies and Statistics. New York:
Institutional Investor Books, 2004
Charan, Ram. Owning Up: The 14 Questions Every Board Member Needs to Ask. John
Wiley & Sons, 2009
“Containing Systemic Risk: The Road to Reform”, Report of the Counterparty Risk
Management Policy Group III, August, 2008
“Cut Out the Risk for the Biggest Rewards” Financial Times, May 10, 2007
176
Appendix A - Bibliography
Davenport, Thomas H. and Jeanne G. Harris, Competing on Analytics: The New Science
of Winning. Boston: Harvard Business School Press, 2007
Downes, Larry and Chunka Mui. Unleashing the Killer App. Boston: Harvard Business
School Press, 1998
Drucker, Peter F. Managing for the Future: The 1990s and Beyond. New York: Truman
Talley Books, Dutton, 1992
“Enterprise Risk Management: Standard & Poors To Apply Enterprise Risk Analysis to
Corporate Ratings”, S&P Announcement, May 2008
Eccles, Robert G., Scott C. Newquist, and Roland Schatz. Reputation and Its Risk.
Harvard Business Review, February 2007
“Emerging Best Practices in Developing Key Risk Indicators and ERM Reporting”
Whitepaper, James Lam & Associates (Cognos), September 2006
Epstein and Roy. “How Does Your Board Rate?”. Strategic Finance, February 2004
Epstein, Marc J. and Roy, Marie-Josee. “Measuring and Improving the Performance of
Corporate Boards using The Balanced Scorecard”. Balanced Scorecard Report, March-
177
Appendix A - Bibliography
Frigo, Mark L and Anderson, Richard J., "Strategic Risk Assessment: A Foundation for
Risk Management and Governance". Strategic Finance, December 2009
Frigo, Mark. L.and Anderson, Richard J., “Strategic Risk Assessment: A First Step for
Improving Risk Management and Governance”. Strategic Finance, December 2009
Frigo, Mark L. “When Strategy and ERM Meeting”. Strategic Finance, January 2008
Frigo, Mark L. “Return Driven: Lessons from High Performance Companies”. Strategic
Finance, July 2008
Foster, Richard and Kaplan, Sarah, Creative Destruction. New York: Doubleday, 2001
Frigo, Mark L and Litman, Joel. “Driven: Business Strategy, Human Actions and the
Creation of Wealth”. Strategy & Execution, 2008
Frigo, Mark L and Litman, Joel. “Give My Regrets to Wall Street”. Harvard Business
Review, 2004
Frigo, Mark. L. and Litman, Joel. “What is Return Driven Strategy?”. Strategic Finance
,February 2002
Frigo, Mark L. and Richard J. Anderson. “A Strategic Framework for Governance, Risk
and Compliance”. Strategic Finance, February 2009
Frigo, Mark L. and Joel Litman, “Driven: Business Strategy, Human Actions and the
Creation of Wealth”. Strategy & Execution Press, 2008
178
Appendix A - Bibliography
June 2002
Frigo, Mark. L. “Building the Verbs of Strategy on the Nouns of a Business”. Strategic
Finance, April 2003
Frigo, Mark. L. “Performance Measures that Drive the Goal Tenets of Strategy”.
Strategic Finance, October 2003
Frigo, Mark. L “Performance Measures that Drive the First Tenet of Business Strategy”.
Strategic Finance, September 2003
Frigo, Mark. L. “Growth isn’t always good: Knowing When and Where to Grow”.
Strategic Finance, December 2004
Frigo, Mark. L. “Strategy and the Board of Directors”. Strategic Finance, June 2003
Frigo, Mark. L. “What’s Missing in Our Strategic Plans?”. Strategic Finance, May 2003
Frigo, Mark. L. and R. Graziano. “Strategic Decisions and Cash Flow”. Strategic
Finance, July 2003
179
Appendix A - Bibliography
Frigo, Mark. L, “Strategy, Value Creation and the CFO”, Strategic Finance, January
2003
Frigo, Mark. L, “Strategy and the Balanced Scorecard”, Strategic Finance, November
2002
Friedman, Milton Capitalism and Freedom. Chicago: The University of Chicago Press,
1962
Friedman, Milton and Rose Friedman Free To Choose. New York: Harvest, Harcourt
Inc., 1990
Fuller, Joseph and Jensen, Michael C.. “Just Say No to Wall Street”. Applied Corporate
Finance, Volume 14 – No. 4, Winter 2002, pages 41 – 46.
Gladwell, Malcolm. The Tipping Point: How Little Things Can Make a Big Difference.
New York: Little Brown & Company, 2000
Goldratt, Eliyahu M. Theory of Constraints. Great Barrington: North River Press, 1990
Jensen Michael C. and Murphy, Kevin J. CEO “Incentives – It’s Not How Much You
Pay, But How”. Harvard Business Review, May-June 1990.
180
Appendix A - Bibliography
Kaplan, Robert S. "Risk Management and the Strategy Execution System". Balanced
Scorecard Report, November-December 2009
Kaplan, Robert S. and David P. Norton. The Execution Premium: Linking Strategy to
Operations for Competitive Advantage. Boston, MA: Harvard Business School Press,
2008.
Kaplan, R.S., and D.P. Norton. Alignment: Using the Balanced Scorecard to Create
Corporate Synergies. Boston, MA: Harvard Business School Press, 2006.
Kaplan, Robert S., and David P. Norton. “The Balanced Scorecard – Measures that
Drive Performance”. Harvard Business Review, 1992
Kaplan, Robert S., and David P. Norton. “Using the Balanced Scorecard as a Strategic
Management System”. Harvard Business Review January, 1996
Litman, Joel and Mark L. Frigo. “When Strategy and Valuation Meet: Five Lessons
from Return Driven Strategy”. Strategic Finance, 2004
Litman, Joel and Mark L. Frigo. “When Strategy and Valuation Meet: Five Lessons
from Return Driven Strategy”. Strategic Finance, 2004
“Managing Risk in the New World". Harvard Business Review, October 2009
Madden, Bartley J. CFROI Valuation A Total System Approach to Valuing the Firm.
Woburn: Butterworth-Heinemann, 1999
Mark Beasley, Bruce Branson and Bonnie Hancock. “ERM: Opportunities for
Improvement”. Journal of Accountancy, September 2009
181
Appendix A - Bibliography
Reid, Peter C. Well Made in America: Lessons from Harley-Davidson on Being the Best.
New York: McGraw-Hill Publishing, 1990
182
Appendix A - Bibliography
Slywotzky, Adrian J. The Upside: The 7 Strategies for Turning Big Threats Into Growth
Breakthroughs. New York: Crown Business, 2007
Slywotzky, Adrian. “Finding the Upside Advantage of Downside Risk”. Strategic Finance,
November 2008
Slywotzky, Adrian and John Drzik. “Countering the Biggest Risk of All”. Harvard
Business Review, April 2005
Steven Dreyer and Amra Balic. “Progress Report: Integrating Enterprise Risk
Management Analysis Into Corporate Credit Ratings”. Standard & Poor’s, July 22,
2009
Taleb, Nassim Nicholas. The Black Swan: The Impact of the Highly Improbable.
Random House, 2007
“Ten Common Risk Management Failures and How to Avoid Them”, Protiviti
Bulleting Volume 3, issue 6, January 5, 2009
“The Role of U.S. Corporate Boards in Enterprise Risk Management”, The Conference
Board, Research Report, 2006
Walton, Mary. The Deming Management Method. New York: Perigee Books, 1986
Welch, Jack. Jack: Straight from the Gut. New York: Warner, 2001
Zook, Chris and James Allen, Profit from the Core: Growth Strategies in an Era of
Turbulence. Boston: Harvard Business School Press, 2001
183
Appendix B
Appendix B
184
Appendix B
X. Shareholder Communications
Governance structures and practices should be designed to encourage
communication with shareholders40.
The National Association of Corporate Directors (NACD) puts forth these Key
Agreed Principles, grounded in the common interests of shareholders, boards and
corporate management teams, to provide a blueprint to corporate boards and thereby
to help improve the quality of discussion and debate governance issues moving
forward
40
“Key Agreed Principles”. National Association of Corporate Directors, 2009
185
Appendix C
Appendix C
Governor Randall S. Kroszner
At the Risk Management Association Annual Risk Management Conference,
Baltimore, Maryland
The current environment certainly presents some fundamental challenges for banking
institutions of all types and sizes.1 Their boards of directors and senior management,
who bear the responsibility to set strategy and develop and maintain risk management
practices, must not only address current difficulties, but must also establish a framework
for the inevitable uncertainty that lies ahead. Notably, the ongoing fundamental
transformation in financial services offers great potential opportunities for those
institutions able to integrate strategy and risk management successfully, and I will argue
that survival will hinge upon such an integration in what I will call a "strategic risk
management framework."
We are indeed witnessing dramatic shifts in the structure of financial markets. These are
quite extraordinary times that have required extraordinary responses from the Federal
Reserve, the Treasury, and other governmental bodies in the United States and around
the world. Since last summer, there had been a continuous deterioration of conditions in
financial markets, becoming much more acute since March of this year. For instance, we
have seen significant disruption in several key sectors of our financial system, such as
normally creditworthy companies having difficulty issuing commercial paper, dramatic
increases in interbank lending rates, and significant concerns about money market funds
"breaking the buck." These are sectors usually considered to be relatively low risk and
186
Appendix C
quite liquid, so disruptions here have signaled the extent and depth of this turmoil and
the lack of confidence among financial market participants.
The Federal Reserve has responded to these developments in two broad ways. First,
following classic tenets of central banking, the Federal Reserve has provided large
amounts of liquidity to the financial system to cushion the effects of tight conditions in
short-term funding markets. Second, to reduce the downside risks to growth emanating
from the tightening of credit, the Fed, in a series of moves that began last September,
has significantly lowered its target for the federal funds rate. Indeed, earlier this month,
in an unprecedented joint action with five other major central banks and in response to
the adverse implications of the deepening crisis for the economic outlook, the Federal
Reserve again eased the stance of monetary policy. We will continue to use all the tools
at our disposal to improve market functioning and liquidity, to reduce pressures in key
credit and funding markets, and to complement the steps the Treasury and foreign
governments will be taking to strengthen the financial system.
Over the past year, there has been increasing concern among financial institutions and
other counterparties about the health of some financial institutions. Uncertainty about
the value of assets and other exposures, as well as uncertainty about the ability of
institutions to sustain continued access to funding, has caused financial institutions to
operate with great caution and hoard funds. What was once a healthy, active interbank
market has become frozen from time to time, as some institutions feel that conditions
are so uncertain that they cannot even lend to long-standing clients or counterparties. In
quite a dramatic shift from just 18 months ago, there is much more scrutiny being placed
on capital adequacy, with financial institutions trying to retain as much capital as they
can, raise as much as possible, and demonstrate that their capital positions are not
impaired. The Capital Purchase Plan by the U.S. Treasury Department under the
Emergency Economic Stabilization Act is focused on improving capital adequacy and,
hence, improving confidence in the interbank market.
187
Appendix C
Perhaps one of the most pressing issues, as I mentioned briefly earlier, is the intense
emphasis on funding. This dramatic shift in concerns about a financial institution's
funding base results in much more focus on the stability of funding sources--one of the
reasons that the bank charter has become so attractive. Indeed, we are seeing the
emphasis on funding driving many other factors that affect financial institutions,
including the viability of various aspects of firms' business models. And problems with
liquidity have affected capital levels, which in turn have further exacerbated liquidity
concerns. It is indeed quite remarkable how this "flight to liquidity" has brought about
so many institutional and structural changes, and become essentially the most important
factor (at least now) for the viability of a financial institution.
Over the past year there have been a number of studies analyzing the causes of the
current turmoil, which include shortcomings in the risk management practices of
financial institutions.2 It is absolutely clear that many financial institutions need to
undertake a fundamental review of risk management. They now realize that ignoring
risk management in any aspect of the banking business usually creates problems later
on. Risk management shortcomings need to be addressed not only to improve the health
and viability of individual institutions, but also to maintain stability for the financial
system as a whole.
At this time, I would like to explain a bit more about what I mean by a "strategic risk
management framework." In my view, an effective overall corporate strategy combines
a set of activities a firm plans to undertake with an adequate assessment of the risks
included in those activities. Unfortunately, many firms have forgotten the second part of
that definition. In other words, there can be no real strategic management in financial
services without risk management, hence my use of the term "strategic risk
management." Risk management needs to be interwoven into all aspects of the firm's
business and should be part of the calculus for all decision-making. Strategic decisions
about what activities to undertake should not be made unless senior management
understands the risks involved; assessing potential returns without fully assessing the
corresponding risks to the organization is incomplete, and potentially hazardous,
strategic analysis.
Ensuring that risk management permeates an entire organization may require some
fundamental changes for certain firms. And this lesson applies not just to the prominent
organizations mentioned in the headlines of late, but also to smaller firms. Even if
smaller firms have been less affected by the recent turmoil (and perhaps have even won
back some market share as customers seek more "traditional" places to put their money),
188
Appendix C
their managements must understand that the financial landscape has changed and needs
to be surveyed anew because events outside of their control in market-wide flight to
liquidity, for example, can have direct impacts on them. Of vital importance will be
incorporating into strategic risk management the lesson that funding and liquidity will
be a major determinant of institutions' success going forward.
Now that I have laid out a general framework for strategic risk management, I would
like to offer a few examples of its application.
As I noted, the clear driver of the fundamental transformation in financial services is the
increased importance of funding and liquidity. The ability to secure funding is a
fundamental task in banking, and banks have been managing expected liquidity
demands since the beginning of banking itself. In times of stress, such as now, having a
solid and reliable funding structure becomes much more important, in some cases so
much so that it affects most other banking activities.
The current turmoil has brought about substantial deleveraging in financial services.
Managing this process is an immediate challenge for banking institutions, as they must
consider the need to reduce leverage at their own institution as well as understand the
consequences of deleveraging at other firms. This is clearly an example of external
factors affecting internal practices, and vice versa. From a strategic perspective, bank
directors must examine their current and future funding situation in light of recent
deleveraging, its near-term prospects, and the state of overall liquidity in financial
markets.
189
Appendix C
Finally, strategic risk management for funding and liquidity needs to consider potential
liquidity problems on both sides of the balance sheet. We saw such examples recently
when there were draws on liquidity commitments to structured investment vehicles and
commercial paper conduits, and when banks faced difficulty selling exposures in illiquid
markets. When there is a marketwide scramble for liquidity, a bank must be prepared to
manage funding challenges and unplanned asset expansions simultaneously. Developing
a strong strategic risk management framework that recognizes the vital importance of
funding and liquidity to both sides of the balance sheet is one way in which directors
and senior management can help ensure that their institutions are ready for such
190
Appendix C
outcomes. They should also ensure that they fully understand that funding and liquidity
issues will drive many of the activities in which they will be able to engage, something
to which I will now turn.
While the financial landscape is by no means settled, certain emerging trends will affect
which activities make sense, which exposures should be assumed, and which risks
should be undertaken. One immediate trend is that much of the future of business
activities of banking organizations will be driven by the increased focus on funding and
liquidity. Accordingly, this trend must be integrated into a strategic risk management
framework. For instance, there may be less opportunity to pursue activities that were
quite prolific under the previous "originate-to-distribute" model, such as securitizations,
given current disruptions or longer-term uncertainties about the reliability of market
liquidity. For similar reasons, other activities, such as investing in collateralized debt
obligations or structured investment vehicles--which typically relied on relatively easy
maturity transformation--may not be as viable in this new environment.
Whether transactions take place on an organized exchange or in the so-called over the
counter market is another important aspect of the strategic risk management choices
undertaken by an organization. When contracts are traded on an exchange, clearing and
settlement, for example, may have less uncertainty associated with them. In addition, an
exchange that has a centralized counterparty--perhaps the clearinghouse of the
exchange--can reduce uncertainty about counterparty risk and help to avoid market
dislocations that can arise from such uncertainty, not only for an individual firm but,
potentially, more broadly in that market. Thus, market infrastructure and its impact on
how organizations are connected to each other can have a large impact on market
confidence in times of stress.
Of course, we have seen that uncertainty, fear, and lack of trust among key
counterparties can dramatically affect trading in some products across markets in many
countries, again an example of the impact of interconnectedness. These days,
institutions are seeking more assurance that their counterparties will not default from
one day to the next. Whether there is a shift to more trading on clearinghouses will be
driven by firms' analysis of counterparty credit risk and the extent to which they are
comfortable doing business with leveraged counterparties about which they have limited
information. Firm managers should take these infrastructure and interconnectedness
issues into account in undertaking their own strategic risk management choice about
what activities to undertake and the risks posed by each. This is a clear example of how
external structures should be taken into account in a firm's strategic planning.
191
Appendix C
In their strategic risk management frameworks, institutions should also understand the
broader issue of potential gravitation to a model in which most or all types of financial
services are brought together in single institutions. That is, institutions have to prepare
for the possibility that they could lose customers and/or be less competitive if they are
unable to provide the full set of financial products. Importantly, however, bank directors
and senior management, in assembling their strategic risk management framework,
should fully understand the complications associated with offering multiple products
and engaging in a wide array of activities--such as reputational risk. And they should not
automatically assume that engaging in multiple activities in multiple geographic markets
will provide so-called "natural diversification." As I just noted, different financial
markets and different types of financial services are quite interconnected, and during
times of stress all can experience losses concurrently.
Of course, there may also be an opportunity for some institutions to benefit from more
traditional, "bread-and-butter banking," with exposures and risks tied more closely to
bank balance sheets. This potential opportunity for niche banking could have certain
benefits, as clients and investors, because of the fear of contagion, seek institutions that
are specifically not involved in multiple markets and activities. And local banks can
often provide more personalized service and have a better understanding of their clients'
needs. In such cases, however, institutions conducting specialized or local business must
understand the inherent risks, such as potential risk concentrations.
Compensation
192
Appendix C
Clearly, bank directors have an influential role to play in setting compensation, and they
should exercise their authority to establish a more risk-sensitive compensation
framework while embedding it in the broader strategic risk management framework of
the institution. Directors should understand the consequences of providing too many
short-term and one-sided incentives. There are many ways that this risk sensitivity could
be accomplished, and it is up to the firms themselves to arrive at solutions. One
possibility, for example, is to include more types of deferred compensation, since the
risks of certain investments or trades may not manifest themselves in the near term. It
makes sense to try to match the tenor of compensation with the tenor of the risk profile
and, thus explicitly, take into account the longer-run performance of the portfolio or
division in which the employee operates. A good risk-sensitive compensation regime,
properly embedded in a strong strategic risk management framework, can bring about
changes in behavior so that the firm's employees refrain from taking on risk beyond the
firm's stated risk appetite. Perhaps most importantly, such a compensation regime must
give the appropriate incentives to take risks fully into account during good times, when
many often underestimate longer-term risks.
Conclusion
I have tried to lay out the importance for banking institutions to develop and maintain a
strategic risk management framework that fully incorporates all the risks they face--both
internal and external--when making choices about what activities and markets in which
they will operate. Indeed, having a corporate strategy that does not include risk
management at its core is not really a strategy at all. Market infrastructure, which affects
not only the ways in which firms are connected to each other but also the types of
shocks to confidence that they may encounter, is an important external factor that should
be taken into account in strategic risk management.
As a concluding point, I will offer a few comments on one additional area to which
banking institutions must pay particular attention: the regulatory and supervisory
structure in which banks operate. Banking is an industry that is subject both to market
competition and considerable regulation. Therefore, banking institutions must not only
evaluate potential changes in the competitive financial landscape (as I noted earlier), but
must also pay attention to potential changes on the regulatory side.
Over the past year, there have been a number of suggestions for possible statutory
changes in U.S. financial services regulation, so bank directors must be prepared for
whichever outcomes such changes might imply for the regulatory structure in the United
States. For example, the Congress may wish to undertake legislative action to effect
regulatory changes, or there may be changes to the existing authority and responsibility
of certain regulatory bodies. In any event, there will likely be some type of adjustments
193
Appendix C
in regulatory structure simply given the changes in the financial services landscape.
Given the fluid situation in which we find ourselves today, bank directors and senior
management in their strategic planning have to anticipate a range of potential outcomes
in the regulatory sphere in both the short and long term.
194
Appendix D
Appendix D
Overview: Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings
In May, 2008, Standards & Poor’s Rating Services (S&P) released an announcement
indicating that they would enhance their ratings process for non-financial companies to
include a review of enterprise risk management (ERM). Their ERM reviews are
intended to: “provide investors and issuers our views of a management team’s ability to
understand, articulate, and successfully manage risk.”
The announcement also indicated that S&P would include the ERM reviews and
discussions in reviews conducted in 2008 but would defer scoring of ERM capabilities
until later in 2009.
The S&P announcement is an excellent document on ERM basics and should be read by
directors and senior executives, regardless of whether their organizations’ are subject to
reviews by S&P. The basic ERM concepts and approach discussed in the announcement
form a solid foundation for understanding ERM from the top down. The discussion in
the S&P announcement is around three key areas; 1) how they define “ERM,” 2) the
risk management culture, and 3) strategic risk management.
S&P first outlines what they believe ERM is and is not. They discuss the approaches
and processes that encompass ERM. These include expectations on what risks the
company will and will not take and also not that this is a fundamental responsibility of
the board and senior management. They also note that ERM is not a guarantee or a
method of eliminating risk and it is not a passing fad.
The analysis of the risk management culture will also be explored by the S&P analysts.
In these areas, they will focus on risk management frameworks, roles of staff and
reporting lines, communications, and policies and metrics. The influence of risk
management on budgeting and management compensation will also be discussed. These
points of discussion represent a solid conceptual base for any discussion of the
importance and key elements of a risk management culture.
The final area of analysis is strategic risk management. Key topics here are
management’s views of the most consequential risk facing the firm and the frequency
for updating these top risks. They also note the role of risk management in strategic
decision making.
195
Appendix D
This expansion of S&P’s rating process is clearly important to executives and directors
of companies rated by S&P. However, as noted above, we believe the key concepts and
topics contained in the announcement are applicable to all organizations. Accordingly,
we recommend all executive and directors take the time to read and reflect on their key
points.
196
Appendix E
Appendix E
Overview: Best Practices for a Board’s Role in Risk Oversight
Moody’s Investors Service
Moody’s Investors Service issued a Special Comment during August of 2006 entitled
Best Practices for a Board’s Role in risk Oversight. The report discusses Moody’s
views that the risk oversight role of the board is critical in the sound running of an
institution. Moody’s lists five central functions that the board has with respect to risk.
3) Ensure robust oversight of risk at the board committee and senior management
levels
Moody’s believes that risk focused committees are most effective when staffed with
skilled directors and that sufficient time is allocated to coordinated risk oversight.
197
Appendix F
198
Appendix F
199
Appendix F
200
Appendix F
201
Appendix G
Appendix G
Glossary of Terms
202
Appendix F
Strategic Risks are those risks that are most consequential to the
organization’s ability to execute its strategies and achieve its business
objectives.
203
Dr. Mark L. Frigo, PhD, CPA, CMA is Director of The Center for Strategy, Execution,
and Valuation and the Director of the Strategic Risk Management Lab in the Kellstadt
Graduate School of Business at DePaul University and Ledger & Quill Alumni
Foundation Distinguished Professor of Strategy and Leadership. Author of six books
and over 80 articles, his work is published in leading journals including Harvard
Business Review. Dr. Frigo is a frequent contributor and an editor for Strategic Finance
and lectures at universities and conferences throughout North America and Europe. He
is a leading expert on strategy and execution in high-performance companies and
strategic risk management. Dr. Frigo is the co-author (with Joel Litman) of Driven:
Business Strategy, Human Actions and the Creation of Wealth (2008).
His professional career has included corporate strategic planning, mergers and
acquisitions, and management consulting in strategic services at an international
consulting firm.
Dr. Frigo is recipient of the Economos Award for outstanding teaching in the Kellstadt
Graduate School of Business MBA program, the DePaul University Excellence in
Teaching Award, the Outstanding Accounting Educator of the Year Award by the
Illinois CPA Society and numerous awards by professional organizations for his
executive education programs and he was recently profiled in Crain's Chicago Business
in an article about top Business School professors. As an avocation, Dr. Frigo is a
teacher of the way of martial arts and holds the rank of Yon Dan (4th degree Black Belt)
in Shotokan karate; he is an instructor at the Jiu-Jitsu Institute (Chicago’s oldest marital
artist school, established 1938), and a senior student of Master Sensei Wataru
Nakamoto.
He serves as an advisor to senior executive teams and boards of directors. You can
reach Mark at mfrigo@depaul.edu or 312.362.8784.
204
Dick is also an active member of the Institute of Internal Auditors (IIA). He previously
served three terms with the IIA’s International Professional Issues Committee where he
was actively involved in developing professional guidance to internal auditors. He
currently serves as a member of the Board of Trustees of the IIA Research Foundation.
Dick has had a number of articles published in the IIA’s publication Internal Auditor.
He co-authored the article “Stepping Up,” which appeared in Internal Auditor and was
awarded it Outstanding Contributor Award in 2006.
205
206
207