Culture, Strategy, Board Engagement, Scenario Analysis, and More!
Highlights from the Fall 2017 NCSU ERM Roundtable Summit

At every ERM Roundtable Summit participants come away with practical tips for making their ERM process better as well as new ways of looking at risks to maximize the effectiveness of monitoring and response plans.  This session was no different, and I will highlight some of the keys messages delivered by risk leaders at Southwest Airlines, AARP, the Bill and Melinda Gates Foundation, IBM, and S&P Global Ratings.

Ted Gordon of Southwest Airlines kicked off our morning by highlighting how ERM at his company engages people and respects the unique culture of the organization.  I believe most ERM professionals would agree that engaging people in the ERM process is vital to effectively manage enterprise risks, and this session highlighted how important it is to consider and leverage the organization’s unique culture as you implement processes to manage risks.  Ted shared the strong focus on people at Southwest, emphasizing that strategic goals are achieved through people.  Accordingly, if you can connect the dots between risk management and achievement of objectives, you will have strong engagement across the organization.  In addition, key attributes of Southwest’s culture had to be considered as part of the ERM process.  Recognizing the entrepreneurial spirit at the company, he knew that each major functional group in the company would look at risks differently, and therefore those functional groups would be more engaged if each was responsible for maintaining functional area risk registers and managing risks in their own unique way.  While it was critical to recognize that each functional group would be more effective looking at risks in this way, an enterprise view was also needed.  This was accomplished through an executive steering group that brought the risks together through regular meetings and frequent touch points to get on the same page.  The teams across the organization needed to have some leeway in managing their own risks, but ultimately the executive steering group is responsible.

Ted made two points that challenged risk professionals to up their game or think about the ERM process differently.  First, he challenged the traditional risk maturity model that focuses on the process, and instead suggested that maturity be measured in terms of ability to manage the unique risks facing your organization.  Becoming more mature is not a linear process, and like everything else in ERM, an organization’s level of maturity has to be considered in light of the entity’s unique culture and business model.  As a result, Southwest evaluates risks posed in comparison to current management efforts, and then shifts its resources towards the most efficient opportunities.  Finally, Ted focused on the importance of turning information into insights.  You engage people by providing them with insights gleaned from information, and when you have more engagement, you will be better positioned to coordinate risk management efforts across the company and integrate risk management into your planning efforts.

In the next session, Joe Pugh of AARP, and Matt Shinkman of Gartner (formerly CEB) shared the process that was used at AARP to create a Board-Executive “Risk Partnership” to more effectively address the changing risk environment and the desire to become more innovative. The first step in this process was to form a risk working group of 3 board members and 2 company executives to help guide the process.  This working group met in between the regular board meetings and was tasked with establishing the ground rules for engagement on risk management activities.  The next step in the process was to develop and administer a risk assessment survey in which both board and senior management committee members were asked to assess a stated list of risks.  Results were then compiled separately for the board vs. senior management.  The board as a whole, compared to senior management rated all risks higher on impact, most likely because the board was not as aware of all the day-to-day mitigation activities already in place.  At the next board meeting after the survey was administered, 90 minutes were set aside to discuss the survey results and to conduct a scenario workshop.  During the first part of this session, management and the board held a joint session to discuss differing perceptions of the risks.  After that, a joint scenario workshop, facilitated by a representative from Gartner, was conducted to evaluate two scenarios:  one that would be considered a downside risk and another that would be considered an opportunity.  The workshop allowed management and the board to discuss risk response and prevention and to become better aligned in viewing risks.  The combined session, along with the use of the Risk Working Group provided tangible examples and perspectives that resulted in a more productive discussion of risk preferences, leading to the articulation of a risk appetite for the organization.

Many risk professionals struggle to have their ERM process integrated into the strategic planning process; Diane Camenisch shared the techniques she has used at the Bill and Melinda Gates Foundation to make risk considerations a part of the strategic planning process.  One important technique is to incorporate risk questions into the strategy development templates that are used in the Foundation’s planning process.  Risks are defined as uncertainties that might prevent the organization from reaching its goals or missing opportunities it wants to seize.  The questions are framed using the same risk taxonomy that is used in the ERM process and prompts the consideration of risks across 6 broad categories:  external, strategy/impact, brand/reputational, financial, legal, and operational.  Once strategies are put in place, there is ongoing accountability for managing risks and evaluations of the effectiveness of risk management programs.  One phrase that Diane used throughout her presentation was the phrase “mind the gap” which refers to the gap between your known and unknown risks.  The foundation strives to be prepared for those “unknown knowables” that fall in the gap.  By highlighting risks at the front end of strategy development, significant risk themes are identified and validated and then managed through the execution phase.  Learnings are then incorporated into the next cycle and strategy and execution plans may be refined as a result.

Claudio Martinez de la Vega and Octavian Udrea of IBM shared insights for leading an effective scenario planning workshop.  Before diving into the scenario planning topic, Claudio shared IBM’s ERM journey where he noted that culture was “the glue” driving risk awareness across the company.  Early identification of emerging risks is critical to IBM and therefore scenario planning is an important tool to imagine and prepare for probable future events and their impact.  In addition, IBM Research has been developing Machine Foresight capabilities which Octavian discussed.  This capability can be used to scan massive amounts of news sources highlighting emerging issues, generate scenarios, evaluate potential trajectories, prepare “what-if” analyses and make forecasts/predictions of likely events. The two speakers then walked through the entire scenario planning analysis process at IBM, including the workshops which are focused on how IBM would prepare for and react to a scenario(s) that had been developed in advance of the workshop.  They shared these guidelines for a scenario planning workshop:

  2. Risk leader should introduce the methodology, if possible with an example such as a story people can connect with
  4. Identify risk drivers and scan news and social media
  6. Engage management early on
  8. Select only high impact scenarios
  10. Discuss business impacts and potential action plans
  12. Monitor and be ready to activate actions when needed.

He concluded by summarizing these takeaway points that were important to IBM in its ERM journey:

  2.   Have a clear philosophy and framework, 
  4. Socialize and drive a risk culture, and
  6. Take advantage of the assets in your company,
  8. Have a structured process to “scan the horizon”,
  10. Have a scenario planning methodology and train others, and
  12. Use technology to your advantage, including both internal and external tools.

Laline Carvalho from S&P Global Ratings (S&P) gave an overview of S&P’s considerations of how organizations are assessing environmental, social, and governance (ESG) risks that S&P is now using in its debt ratings process.  She began by emphasizing that ESG risks are important because these risks (and opportunities!) can affect the capacity and willingness of an entity to meet its financial commitments in many different ways:  operating performance, competitive positioning, brand or reputation, regulatory or litigation exposures, ability to attract customers or workforce, etc.  The growing interest in ESG issues coincides with global trends such as expected population growth and the pressure that creates on natural resources, climate change and sea level rise, accelerated pace of technological disruption, and the global transition towards lower carbon energy sources.  S&P considers both the potential impact of ESG risks as well as management’s capability for managing the risks, and has identified specific risk factors in each of the three areas.  Laline then provided some specifics regarding potential future losses associated with climate change and the increasing losses being experienced from natural catastrophe events to highlight the severity of the risks in this area.  She also suggested some potential climate change scenarios that could be incorporated into a scenario analysis to evaluate potential losses.  She closed by emphasizing that ESG needs pro-active management and engagement.  Not only are creditors interested in evaluating these risks, but these issues are also being incorporated into institutional investors’ strategy decisions and ownership practices in order to reduce risk, enhance financial returns and meet clients’ sustainability expectations.  A firm’s ability to identify, prioritize, monitor and develop robust strategies to mitigate – and possibly optimize – ESG risks will likely be a meaningful differentiator of company performance in future years.

If you attended this most recent Roundtable Summit, then you probably picked up many more insights than what I’ve highlighted here.  If you weren’t able to attend, I hope you found the information here helpful to your ERM process.  Either way, mark your calendar for our next ERM Roundtable Summit on April 27, 2018, and sign up for our ERM newsletter below so that you won’t miss any upcoming events!

Download a copy of this article   here .

  FRIDAY, APRIL 27, 2018  



    As Executive Director of North Carolina State University’s ERM Initiative, Bonnie Hancock works closely with  senior executives as they design and implement enterprise risk management (ERM) processes in organizations they serve. That hands-on advising leads to insights about techniques useful in addressing a number of practical challenges associated with ensuring ERM processes are value adding without over-burdening the process.   

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2017-12-05