In its best practices report, Enterprise Risk Management: Seven Imperatives for Process Excellence, APQC presents the results of research on the need to evolve enterprise risk management (ERM) processes and practices.

As a result of its survey findings and interviews with ERM leaders known for developing select best practices, APQC finds that there are three stages of ERM process maturity that span seven best practices.  The stages of maturity are:

• Establish, during which organizations define process steps and risk owners;
• Cultivate, during which ERM leaders improve the quality of risk conversations; and
• Refine, during which organizations drive sound ERM strategy and execution.

During the second stage of ERM maturity, the core ERM process is in place and risk owners understand how and when they must contribute.

The ERM leader focuses on improving the quality of risk conversations; to do so, he or she must creatively build a risk-intelligent risk culture.

HOW BEST-PRACTICE ORGANIZATIONS DO IT

Exxaro Resources Ltd.

The work done at Exxaro to create an integrated and standardized enterprise-wide approach to risk management has been recognized by the Institute of Risk Management South Africa (IRMSA).  While giving Exxaro the Information Systems Industry Initiative Award in October 2013, the IRMSA stated:

“Exxaro realized from the outset that risk management is about the improvement of risk culture and not necessarily about risk analysis [and that] risks should also be linked to business unit, departmental, and group objectives.  They have embedded a process that is not compliance-driven but a tool that management wants to use because it assists in the achievement of strategic objectives.”

The ERM team at Exxaro works to break silos not only in terms of functional areas but also in terms of seniority levels.  “Our main vision is to teach people that risk management is about proactive thinking in every layer of the organization,” said Saret Van Loggerenberg, Exxaro’s manager of risk and compliance.

To drive meaningful cultural engagement, Van Loggerenberg developed an unconventional way to ensure that the board understands the proper use of risk management methodology—without outwardly lecturing its members.  The core ERM team hosts a risk management workshop and uses gamification to impart training information.

Van Loggerenberg divides the group into two teams, and each team receives a color.  She explained some terminology and context to the players, and they each have 10 minutes to match a risk to its orders and consequences.  There is a prize at the end for the winning team. “We try to make it fun, mainly because risk management that becomes too focused on checking a box is ineffective,” said Van Loggerenberg.

Paychex Inc.

At Paychex, discrete opportunities arise for people on the ERM team to be innovative and take steps that actually enhance the financial performance of the company.

One example came from Frank Fiorille, Paychex’s senior director of risk management.  Several years ago, an expert in the compliance organization had gained deep familiarity with the complex regulations and laws that pertain to a particular business segment.  “By leveraging that deep institutional and industry-specific knowledge, we were able to identify new opportunities to not only create operational efficiency and improve our internal control effectiveness, but also create potential new revenue streams that have delivered significant top line revenue to the company over the past few years,” said Fiorille, adding that the team was able to apply that same approach to other areas of the business and uncover additional opportunities to enhance the value proposition of other products and services.  This helped to strengthen partnerships with business unit managers and enhance their engagement in the discipline of strategic risk management.

Paychex leads the way in creative brainstorming and board engagement.  During Paychex’s risk identification process, known as the “Tournament of Risk,” Fiorille and his team identify 64 key risks.  This list is determined by considering each risk’s potential impact, likelihood, velocity, and management control effectiveness.  The leaders of the meeting put these risks up on a board that looks like an NCAA bracket (Figure 1).  Every one of the nearly 200 people present at the meeting has electronic voting capabilities and votes on each risk in head-to-head competitions—whichever one at each stage stands out because it has the greatest future residual risk (what remains after the mitigation strategy has been deployed) advances to the next level.

The ultimate goal for the Tournament of Risk is to gain collective feedback from senior leadership.   The individual risk score doesn’t really matter—it is fun and creates dialogue. “It is one way to get executives engaged and interested in risk,” said Fiorille.

The LEGO Group

At the LEGO Group, Hans Læssøe, senior director of strategic risk management, said that the point of meeting with the board and managers is to kick off creative brainstorms.  He developed an exercise that prompts company managers to have practical discussions. “We talk about the resiliency of managers’ strategic plans,” he said.  “We can ask, ‘What have you done to fold the risks that have been identified into your plan in a way that allows you to win the important battles?’”

In contrast to these practices, a board-level conversation at a far less mature company would involve a rote recitation of risks that surprise nobody. (E.g., What do we do if the price of energy rises next year?)  Leading organizations continually engage board members, company executives, and risk owners.

ABOUT APQC

APQC is a member-based nonprofit and one of the leading proponents of benchmarking and best practice business research. Working with more than 500 organizations worldwide in all industries, APQC focuses on providing organizations with the information they need to work smarter, faster, and with confidence. Every day we uncover the processes and practices that push organizations from good to great. Visit us at www.apqc.org and learn how you can make best practices your practices.