The Essential Qualities of

Best-Practice ERM
Presenters:
Mary Driscoll, Senior Research Fellow, APQC
Rob Torok, Executive Consultant, IBM Global Business Services

Todays Presenters
Mary Driscoll
Senior Research Fellow
APQC

Robert Torok
Executive Consultant
IBM Global Business Services

2011 APQC. ALL RIGHTS RESERVED.

Major Impetus for the Study

Key finding from a previous 2010 survey by

APQC and IBM*

56% of organizations conceded that strategic

risks have the least mature management
processes.
* More than 300 senior finance and risk management executives were polled

2011 APQC. ALL RIGHTS RESERVED.

Who We Are

APQC is a member-based, 501(c)3 nonprofit

specializing in benchmarking, knowledge
management, measurement, and process
improvement.
Our mission is to work with organizations
around the world to improve productivity and
quality by:

discovering effective methods of improvement,

broadly disseminating findings, and
connecting individuals with one another and with
the knowledge they need to improve.

2011 APQC. ALL RIGHTS RESERVED.

2011 Collaborative Study on ERM

2011 APQC. ALL RIGHTS RESERVED.

Stage-setting

Todays goals
Share fresh research about ERM leaders
Seek your feedback with poll questions

Explain research approach

Step through each study dimension

2011 APQC. ALL RIGHTS RESERVED.

APQC Collaborative Research Road Map

Identify potential
best-practice
partners
Potential partner
screening
interviews
Kickoff meeting
Nov. 3, 2010
Pilot and finalize
data collection
tools

Plan

2011 APQC. ALL RIGHTS RESERVED.

Draft best-practice
partner case
studies and submit
for review
Analyze data
Identify key
findings, critical
success factors,
and enablers

Collect

Participate in site
visits with selected
best-practice
partners (qualitative
data collection)
Administer study
detailed
questionnaire
(quantitative data
collection)

Analyze

Adapt/Report
Prepare findings
presentation
Conduct knowledge
transfer session in
March 2011
Discuss key findings,
critical success
factors, and
enablers
Post final study
materials (report,
approved case
studies, online
survey results) to
Project Spaces

Best-Practice Partner Organizations

Caterpillar
Intuit
Marathon
Novo Nordisk
The University of California

2011 APQC. ALL RIGHTS RESERVED.

Online Survey Demographics

Study key findings resulted from quantitative online detailed

questionnaire from 58 organizations
Participant Revenue

Greater
than 5
Billion
37.9%

100 Million
to 1 Billion
29.3%

Participant Industry
Government
11.1%

Other
4.8%

Manufacturing
25.4%

Retail Wholesale
7.9%

Services
11.1%
1 Billion to
5 Billion
32.8%

2011 APQC. ALL RIGHTS RESERVED.

Utilities /
Communications /
Energy
23.8%

Financial Services
/ Insurance
15.9%

ERM Study Dimensions

ERM purpose, design, and accountability

ERM process
ERM tools and technologies; Assessing and
communicating ERM program benefits

2011 APQC. ALL RIGHTS RESERVED.

10

ERM Purpose, Design, and

Accountability

2011 APQC. ALL RIGHTS RESERVED.

11

Program Intent is Clear

Best-practice organizations have clarity of purpose.

They operate from the premise that they cannot
increase value for stakeholdersor prevent value
destructionwithout ERM.

Best-practice organizations understand that the

pursuit of enterprise strategy always carries risks,
some of which are substantial. ERM allows them to
determine what types of major risks they should
take and how to manage those risks effectively.

Effective risk mitigation is considered a competitive

weapon by best-practice organizations.

2011 APQC. ALL RIGHTS RESERVED.

12

Some Examples

Leveraging ERM to determine which risks to undertake:

IntuitRisk is tied to decision making at Intuit. One of
ERMs purposes is to encourage an innovative culture
and enable risk taking.
MarathonERM helps to assess new business
opportunities.
Risk management as competitive weapon:
Caterpillarused ERM to support dealer network in
2008.
Novo Nordiskmonitors potential reputation risks, a
vital concern in the pharmaceutical industry.

2011 APQC. ALL RIGHTS RESERVED.

13

ERM Team Receives Support

The ERM team at each best-practice organization

is a small group of highly empowered people who
interact with division/unit heads.

Intuit, Marathon, and Caterpillar all have small ERM

teams working with risk owners in the business

ERM is supported by other functions:

IntuitIntegrates with audit and legal

MarathonSteering committees and integration with
audit

2011 APQC. ALL RIGHTS RESERVED.

14

Some Align Tightly with Audit

Examples:
MarathonAudit plan is crafted with full view
of enterprise risks and mitigation goals.
IntuitRisk committee membership consists
of the chief financial officer, general counsel,
vice president of internal audit, and chief risk
officer.

2011 APQC. ALL RIGHTS RESERVED.

15

Poll Question #1
ERM Reports Where?

Whom does the leader of the core

ERM team report to?
1.
2.
3.

4.
5.

CEO
CFO
General Counsel
Chief Auditing Officer
Other Senior Executive

2011 APQC. ALL RIGHTS RESERVED.

16

Study ResultsStructure
Where does the core ERM leader report?
40%

37%

30%
25%
22%
20%

10%

6%

6%

5%

3%

0%
CFO

2011 APQC. ALL RIGHTS RESERVED.

CEO

Another senior
executive

Chief operations
officer

17

Business unit
leader

General counsel

Chief auditing
officer

Marathon
Example

Provide oversight on strategic and

operational risks

Provide oversight on ERM process

Responsible for management of strategic

and operational risks

Executive sponsor for ERM

Provide the framework and
coordination on the risk analysis and
mitigation

Audit & Finance Committee

CEO & Executive Committee

CFO

Enterprise Risk Manager

ERM Steering Committee

GM Internal Audit
GM Upstream Finance & Commercial
Director Central Eval. Team & Financial Planning
VP Finance & Treasurer
VP Accounting & Controller
Sr. VP Financial & Commercial Svcs (Downstream)
VP Health Environmental Safety & Security

2011 APQC. ALL RIGHTS RESERVED.

Board of Directors
Committees of the Board

Risk ownership and

accountability shared w/
business unit leadership

Risk Champions

Provide integration of audit, planning, and

insurance functions with key risks governed by
risk champions. Ensure ERM links operational
risks with financial risks.

18

ERM Process

2011 APQC. ALL RIGHTS RESERVED.

19

Example Process Overview: Marathon

2011 APQC. ALL RIGHTS RESERVED.

20

Risk Id. and Assessment are Robust

ERM group drives dialogue about key versus other risks.

Standardized frameworks to identify, assess, manage, and report risks.

Best-practice organizations created clear criteria for what is a key or

enterprise risk.
Guidance given: Think the unthinkable.
Best-practice organizations have clear guidelines for risk escalation and
dissenting opinions.
Standardized language helps people understand risk tolerance.
Embed risk assessments into decision making at quarterly reviews.

Comprehensive assessment: bottom-up, top-down, and sideways.

External data and potential reputational risks are factored in.

Built-in redundancy to ensure risks are not missed.
Assume there are risks you do not yet see.
Attempt to identify potential interaction among different risks.

2011 APQC. ALL RIGHTS RESERVED.

21

Enterprise Risk at Marathon

Includes: External, Strategic, Operational and Financial
3

2.5
2

Enterprise Value-Killer
Risks

1.5
1

Impact

0.5
0

0
Probability

0.5

1.5

(For illustration purposes only.)

2011 APQC. ALL RIGHTS RESERVED.

22

2.5

Analysis and Mitigation are Robust

Best-practice organizations strive to quantify the probable

cost of major risks (if they materialize) and the cost of risk
avoidance.

Risk correlation is routine and well-supported by

processes/systems:
Analysis of the significance, velocity, impact, and cost of
avoidance or response;
Analysis of how one type of risk could amplify a risk in
another area.

Best-practice organizations use tools such as a risk

scorecard to analyze major risks and how they can
interact.

2011 APQC. ALL RIGHTS RESERVED.

23

Some Examples

Quantifying the probable cost of major risks

Novo Nordisk

Reputational risk tool

Risk impact scale (e.g., changes in product supply)
Gross/Net grid tool

Marathons gross, net, and target assessments

2011 APQC. ALL RIGHTS RESERVED.

24

ERM is Treated as an Aspect of

Strategic Planning

ERM leaders are much more than process owners. They

are authentic strategic advisers.
ERM is integrated with strategic planning.

ERM enables the C-suite and senior leaders to assess the viability
of strategic options in light of established risk tolerance levels.

ERM is integrated with existing operating mechanisms

(e.g., annual planning, target setting, and quarterly
business review mechanisms).

2011 APQC. ALL RIGHTS RESERVED.

25

Caterpillars Risk Assessment and

Planning Cycle

2011 APQC. ALL RIGHTS RESERVED.

26

Poll Question #2
Process Integration

To what extent is ERM integrated with

strategic planning processes?
1. Not integrated at all
2. Somewhat integrated
3. Fully integrated

2011 APQC. ALL RIGHTS RESERVED.

27

Study ResultsProcess Integration

Best-practice organizations tightly integrate ERM with

strategy and planning.

IntuitERM is concurrent
with and feeds into strategy
and planning
CaterpillarThe ERM core
group is led by a manager
of corporate strategy and
business risk mgt.
MarathonERM feeds into
decisions about capital and
operation planning
Novo NordiskERM
process is being integrated
with strategic planning and
balanced scorecard creation

2011 APQC. ALL RIGHTS RESERVED.

28

ERM Tools and Assessing

Program Benefits

2011 APQC. ALL RIGHTS RESERVED.

29

IT tools are simple and user-friendly

Leaders have created simple, user-friendly

tools to encourage adoption.
Emphasis on usability for end users
Examples:

Intuits erm.intuit.com (for internal use only)

UCOP Excel-based risk assessment (publicly
available) http://www.ucop.edu/riskmgt/erm
Caterpillar voting tools and simplified reporting
requirements

2011 APQC. ALL RIGHTS RESERVED.

30

Free Online Resources

2011 APQC. ALL RIGHTS RESERVED.

31

Continuous Improvement is a Must

Knowledge management principles and concepts abound

to drive continuous learning and communication.

ERM is dynamic, ever evolving, and incorporates lessons learned.

Best-practice organizations are committed to

benchmarking and continuous improvement.
Best-practice organizations customize best practices to
make them fit their organizations.
Best-practice organizations assemble evidence that the
program delivers tangible benefits.

2011 APQC. ALL RIGHTS RESERVED.

32

Poll Question #3
How Do you Examine your ERM Program Maturity?

Which answer best approximates how

you gauge where you stand?
1.
2.
3.
4.
5.

Formal benchmarking of efficiency or

effectiveness.
Informal comparison with similar business
models.
Rely on outside consulting firm.
Basic literature search.
Have not yet compared our program to
others.

2011 APQC. ALL RIGHTS RESERVED.

33

Implications and Discussion

True leaders drive sustainable dialogue

about risk.
Understanding risk is embedded in decision
making.
Its about not only risk management but
also culture and change management.

2011 APQC. ALL RIGHTS RESERVED.

34

Questions?
Mary Driscoll
mdriscoll@apqc.org
Rob Torok
robert.torok@ca.ibm.com

2011 APQC. ALL RIGHTS RESERVED.

35

For More

Visit www.apqc.org/knowledge-base to see

more APQC events and browse content.
Have a suggestion? Let us know what topics
you would like future Webinars to cover at
www.apqc.org/feedback.

2011 APQC. ALL RIGHTS RESERVED.

36