In its best practices report, Enterprise Risk Management: Seven Imperatives for Process Excellence, APQC presents the results of research on the need to evolve enterprise risk management (ERM) processes and practices.

As a result of its survey findings and interviews with ERM leaders known for developing select best practices, APQC finds that there are three stages of ERM process maturity that span seven best practices. The stages of maturity are:

• Establish, during which organizations define process steps and risk owners;
• Cultivate, during which ERM leaders improve the quality of risk conversations; and
• Refine, during which organizations drive sound ERM strategy and execution.

During the first stage of ERM maturity, an organization’s senior executives must identify and deputize an ERM leader. The objectives at this point are to define the process steps and name and train the people accountable for risk.

The first best practice in this stage requires that the ERM leader build a reliable and repeatable process for helping risk owners fulfill their responsibilities and report to the board and top executives on a regular basis about:

• Changes in identified risks,
• Signs on the horizon that remote risks are growing or accelerating, or
• Ssigns that previously unknown risks have begun to take shape.

APQC’s survey results show that the vast majority of organizations that review action items generated to mitigate identified risks find their ERM processes effective (Figure 1).

The case studies featured in the best practices report have well-defined ERM program architectures, review cycles, assessment methodologies, and reporting mechanisms.

 

HOW BEST-PRACTICE ORGANIZATIONS DO IT

Rockwell Collins Inc.

Rockwell Collins uses two types of councils to identify risk. The first, operations-facing layer is made up of 10 extended councils. Each business unit (commercial, government, international, and various shared services functions) creates a group of four to eight individuals. Each extended council identifies risks and reports its assessment to a core enterprise risk council, which consists of senior representatives from each business unit and shared services organizations. The enterprise risk council then reviews and assesses a portfolio of up to 50 key risks. This collective review helps to ensure a practical discussion about consistency in risk ranking and gaps, if any.

Amy McDonald, the vice president of internal audit and general auditor at Rockwell Collins, is the organization’s ERM process leader. She makes an annual presentation on the risk portfolio to a senior leadership council and to its board of directors. They use the portfolio to build the board calendar for the year, which the audit committee then approves. McDonald uses this calendar to tackle four or five specific topics during quarterly meetings. “The process spurs a robust discussion and dialogue about the sum of the risks at the board level and at the executive management level,” she said.

 

 

The LEGO Group

The LEGO Group began building its ERM program in 2007. Hans Læssøe, senior director of strategic risk management at LEGO, and several senior colleagues developed a sound methodology for assessing the likelihood of a risk scenario, which reveals Læssøe’s appreciation for the way busy managers think. For example, once he develops a quantified forecast for a given risk scenario (e.g., a mainstay product line could begin to lose appeal with consumers and annual revenue growth could be impaired), he studies the likelihood of that happening. He used a five-by-five impact scale, in which a very high likelihood equals a 90 percent chance of occurring, high is 30 percent, medium is 10 percent, low is 3 percent, and very low is 1 percent. This way, said Læssøe, “people can more easily distinguish between the percentages.”

Beyond that, strategic risk management has enabled the LEGO Group to document how risks interrelate, a practice that many organizations are just now trying to sort out.

Exxaro Resources Ltd. 

Saret Van Loggerenberg, manager of risk and compliance at Exxaro, stresses the importance of thorough training when building an ERM program. The company uses “governance, risk, and compliance” (GRC) when referring to what this report calls ERM. She trained employees and managers on the risk management process and analysis methodology before she implemented SAP’s risk management and process control solutions. Van Loggerenberg said that she launched Exxaro’s systems training with “a business process recap and methodology recap” and used terminology that risk owners were familiar with. She conducted nearly 50 sessions in the corporate office and at least four sessions at every business unit. Additionally, she worked to ensure that an e-learning training tool was available for people to simulate risk reporting. The workshop sessions also aimed to describe and embed a common risk language.

Paychex Inc. 

One innovative approach at Paychex is an annual group assessment involving nearly 200 top leaders of the company from all over the U.S. and Germany. These leaders represent all vital business groups, from sales and marketing to finance and IT. The risk management team actually conducts the assessment in a manner akin to college basketball’s March Madness. Paychex’s game is called the “Tournament of Risk.”

First, Frank Fiorille, Paychex’s senior director of risk management, and his ERM organization identify 64 risks that have been pegged as “key risks.” This list is determined by considering each risk’s potential impact, likelihood, velocity, and management control effectiveness.

The leaders of the meeting put these risks up on a board that looks like an NCAA bracket. Every one of the nearly 200 people present at the meeting has electronic voting capabilities and votes on each risk in head-to-head competitions—whichever one at each stage stands out because it has the greatest future residual risk (what remains after the mitigation strategy has been deployed) advances to the next level.

This way, the top leaders of the company are given the opportunity to identify and communicate what they think could have remaining risk from any event or combination of events after all mitigation strategies have been employed. Note, too, that the executives get a clear set of definitions to help them work in a consistent and coherent fashion.

The ultimate goal for the Tournament of Risk is to gain collective feedback from senior leadership. The individual risk score doesn’t really matter—it is fun and creates dialogue. “It is one way to get executives engaged and interested in risk,” said Fiorille.

In its tournament, Paychex distinguishes between strategic and operational risks. Much in the same way that March Madness splits regions into north/south/east/west, Paychex distinguishes between financial risks, strategic risks, hazard risks, and operational risks. Once the final set of key risks is determined, the risk management group assigns an owner who resides in business functions. “Sometimes the risk owner can be a risk management person, but it’s often on the business side. We partner with those risk owners to clarify a risk, give it dimension, and get at it in a mitigation plan,” explained Fiorille.

ABOUT APQC

APQC is a member-based nonprofit and one of the leading proponents of benchmarking and best practice business research. Working with more than 500 organizations worldwide in all industries, APQC focuses on providing organizations with the information they need to work smarter, faster, and with confidence. Every day we uncover the processes and practices that push organizations from good to great. Visit us at www.apqc.org and learn how you can make best practices your practices.

©2014 APQC ALL RIGHTS RESERVED