NC State’s ERM Initiative held its fall 2015 ERM Roundtable Summit last Friday November 13th to a sellout crowd of 180 participants. The Summit brought together four speakers from organizations with relatively mature ERM programs: 


  • Richard Muzikar, Director of Enterprise Risk Management for conEdison
  • Monica Merrifield, VP of Risk Intelligence for the YMCA of Greater Toronto
  • Mandeep Walia, Senior Director of Enterprise Risk Management for PayPal
  • Nick Lemen, Senior Director of Enterprise Risk Management for Eli Lilly and Company

  Two major themes played out in the discussions: the importance of a mature risk culture or risk mindset that recognizes the value of effective risk management and the need to evolve risk management towards integration with strategy. Each speaker referenced the importance of risk culture and risk mindset in significantly affecting the success of an ERM program. The speakers also highlighted key elements of successfully evolving ERM from a focus on traditional risk management issues, such as hazard management, to its true promise as an integral tool in strategy.

Developing KRIs

  Richard Muzikar, from conEdison (one of the largest investor-owned energy companies in the U.S.), kicked off the event with a discussion about the development of key risk indicators (KRIs). Before getting into the details of how the company approached identifying and measuring KRIs, Rich began by highlighting the benefits conEdison is realizing through its use of KRIs. In particular, he noted how KRIs have helped enhance risk culture by allowing employees to better focus on understanding the risks underlying the firm which helps transform the risk mindset from a check-the-box attitude to one that is focused on understanding the primary and secondary causes of risk events. The use of KRIs has helped the company’s ERM Steering Committee by enhancing the understanding of key risks and enhancing the company’s overall risk culture. In addition the use of KRIs has helped the company prioritize capital spending to focus on risks that are increasing.

  To develop KRIs, conEdison benefited from the use of bowtie analysis to define risks and create a KRI dashboard. The bowtie analysis tool helps employees responsible for a particular risk focus on developing metrics to monitor both sides of a risk event (think of the risk event as the knot in a bowtie): (1) the causes of a risk event and (2) the consequences of that risk. conEdison has found that the bowtie analysis tool has helped identify key metrics to monitor leading causes and lagging consequences of a risk event. Those metrics are then included in a KRI dashboard that management uses to monitor the overall direction of the risk.

  conEdison’s success in using KRIs was a result of a lot of hard work the company put into creating a solid ERM foundation. In fact, Rich spoke of the difficulty of identifying accurate measures that can be effective KRIs and that using a data driven analysis to support risk identification of causes and consequences is essential. This was not the last time a focus on the benefits of data analytics would be discussed in the day’s sessions.

Strategic Risk Management

  Our next speaker, Monica Merrifield from the YMCA of Greater Toronto (the largest charity in Canada), focused on embedding risk thinking in the context of strategy management and execution to create a sustainable organization. The YMCA of Greater Toronto’s risk evolution started like most organizations with a siloed approach mostly providing an insurance perspective that has now evolved to a mature ERM holistic approach whereby risk and strategy are highly integrated. Monica shared insights of how the YMCA of Greater Toronto is now leveraging its work in ERM so that it is now a part of the organization’s strategic vision where risk culture and mindset support innovation, planning, and budgeting for the organization.

  Monica spoke of how the organization discusses risk through analyzing a number of key questions:

  • What are our major risks currently?
  • What risks are emerging that could impact our future sustainability?
  • What should we do and what is the risk of inaction?
  • What should be our risk appetite?

  These questions have helped the YMCA of Greater Toronto identify key current and emerging risks and more importantly understand risk interconnections.  An important part of this examination is how data visualization can help employees better understand risk connections.

  Monica finished her talk by focusing on steps she has found useful in integrating ERM into strategy.  She provided several observations:  

  • It is essential to engage employees across the organization in the ERM process;
  • The process must be a collaboration across an organization’s key leaders who work together to coordinate a successful strategy using a risk lens;
  • Risk thinking must be embedded into the planning processes (i.e., not after the fact);
  • The process should lead to establishing performance metrics so that interventions can be taken; and
  • Risk culture should be established so that lessons learned can be shared to create a better strategic risk management program.

Intersection of ERM and GRC

  Mandeep Walia from PayPal discussed the intersection of ERM and GRC (Governance, Risk and Compliance).  He highlighted how the ERM process begins with a strategic vision for the organization and how that leads to a risk culture which must inform the organization’s strategy.  Two important points that Mandeep stressed were that

  2. Most organizations are overloaded with so much information that it is important to be able to summarize and visualize the data at high levels for risk leaders and executives, and
  4. Companies with global operations can especially benefit from creating more uniformity across ERM and GRC policies to enhance the overall company risk culture and mindset.

  Mandeep emphasized how a company’s ERM process is dependent on the organization having an ERM vision and culture. An ERM program’s success will be a function of the organization’s maturity, alignment with the organization’s vision and executive support.  He highlighted four important building blocks he has observed across his career in helping lead risk management efforts in a number of organizations:

  • Executive buy-in - Senior leaders must support ERM implementation across functional areas and be accountable by including ERM performance goals
  • ERM Framework - It is important to set the ERM framework through policies and standards
  • Training and Communication - It is essential to train employees to have a risk mindset
  • ERM platform – The ERM process should be designed and implemented first before software solutions are identified – put ERM methodology before the tool

Navigating Around ERM Derailers

   Nick Lemen from Eli Lilly and Company rounded out our day by providing a thought provoking discussion of risks that can derail your ERM program.  One of the underlying themes of Nick’s discussion was that for ERM to be successful, it can’t just be a corporate mandate or a check the box exercise.  Rather, ERM must become a part of the organization’s leadership mindset that is positioned to provide risk insights about how you run the business. The discussion focused on a number of points that reinforced a number of key take-aways from the three earlier speakers:

  • Keep the process simple - Maintain a consistent and transparent process
  • ERM culture can be instilled through ERM liaisons - the first line of defense - they are responsible for the initial monitoring of risks and are very important for identifying new emerging risks
  • Listen to your employees as they identify potential risks and elevate those for further discussion - consolidate risks by business area and then identify enterprise level risks
  • ERM must be part of the business not a separate set of processes – ERM needs to be connected with strategy and the organization’s value proposition
  • Reputation risk is so intertwined in the entire business - it must always be at the forefront of risk culture
  • Information and communication are paramount to increasing the effectiveness of the ERM program

  Nick finished his talk with two important observations about (1) the importance of creating a risk community so that you can learn from others and (2) the need to embrace a journey  when developing an ERM program versus having a project mindset..


  The day was packed with rich, practical insights from these experienced ERM leaders that hopefully helped participants walk away with a number of nuggets that they might be able to take back to their organization’s ERM programs.  I know that the ERM Initiative faculty gained tremendous insights that will become a part of our future ERM courses here at NC State that will also help us as we work with organizations to advance the strategic contribution of their ERM efforts.  Not only did participants benefit from the insightful presentations, but they also found the networking with over 180 other ERM leaders hugely valuable.

  Download a copy of the article here.

  Don’t miss out on this tremendous learning opportunity.  We’ll be hosting our Spring ERM Roundtable Summit on Friday, April 22, 2016 here in Raleigh.  Watch the ERM Initiative web site for more details:



  Don Pagach, PhD
  Professor and Research Director, NC State’s ERM Initiative

  As Research Director of North Carolina State University’s ERM Initiative, Don Pagach actively conducts research that examines factors associated with how entities design and implement enterprise risk management (ERM) processes and how those processes impact firm performance and value.  In the summary below, Don provides insights he gleaned from last week’s ERM Roundtable Summit held in Raleigh.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2015-11-13