The sharing of insights and experiences among ERM leaders continues to help advance the strategic value of ERM programs among organizations. Fostering thought leadership on strategically focused risk management is a core mission of the ERM Initiative at NC State University.  The “golden nuggets” shared by speakers at the April 22, 2022 ERM Roundtable Summit covered a variety of topics related to advancing best practices in enterprise risk management (ERM). We are providing this high-level summary so others can benefit by what was shared in each of the six sessions. 

Spotlight Risk Action Plans to Elevate Executive Attention on Top Risks

Our first session provided an in-depth overview of the ERM function at US Steel Corporation (USS) and was jointly presented by Arne Jahn, Vice President, Treasurer and Chief Risk Officer of USS and Kate Scanga, Director, Treasury and ERM at USS. Arne and Kate described the ERM function as “actionable” and aligned with the strategic planning activities at USS. They have accomplished this alignment through the development of an active ERM Governance Committee led by the CEO and that reports regularly to the Audit Committee of the USS Board of Directors. Key ERM activities at USS include an annual risk survey eliciting likelihood, impact, and velocity scores from 90-some participants, a voting recap session to validate the results of the survey, a review of the results with the ERM Governance Committee, and the reporting of these to the Audit Committee.

Action Plan Spotlights:
US Steel creates action plans for each of its top risks and “spotlights” those quarterly to foster understanding of the risk issues and actions taken or needed. This has enhanced risk accountability and executive awareness.

Action plans are developed for each identified key risk at USS and the action plans for Tier One risks are refreshed quarterly. A key feature of the ERM process at USS are quarterly debriefs held with ~ 75 participants across the organization. These quarterly debriefs focus on current risk prioritization, emerging risks, updates from the Audit Committee and the Executive Steering Committee, ERM activities (e.g., annual voting), and an action plan spotlight. These regular debriefs have created an opportunity for engagement and alignment with executive leadership and constitute a major “win” for ERM at USS. They have fostered a greater discussion and understanding of risk issues and actions taken, have driven action and risk ownership accountability, created increased risk awareness, and have validated that risk issues are heard at the highest levels within USS. Arne and Kate closed with a discussion of how USS is looking ahead to emerging risk issues and the challenges these risks pose for the organization.

Focus on Preparing for Disruption

Garrett Petraia, Chief Security Officer at Levi Strauss & Company, provided an outstanding overview of the ERM process at his organization. Garrett stressed the importance of making the risk conversation intuitive for business partners within the organization by asking about their goals, objectives, and key performance indicators. He also shared that his function exists to help these partners manage the headwinds and to assist in preventing their occurrence. Key questions to ask include “Are we prepared to manage through the disruptions if they do occur?” and “How might the risks and associated disruptions (i.e., headwinds) we’ve identified affect your ability to achieve those goals and hit performance targets?”

Garrett argued that this represents a shift from controls-based risk management toward the concept of ‘anticipatory risk management.’ The concept of anticipatory risk management focuses on preparing for the realities of disruptions without trying to guess what might trigger the disruption. This approach can yield multiple benefits as summarized in the sidebar.

Garrett closed his presentation by discussing how the content of his Enterprise Risk Committee meetings have evolved given this change in focus. Each meeting now addresses three important topic areas:

  • What’s new? This consists of updates since the last meeting.
  • What’s now? Which risks, crises, and initiatives are we managing now?
  • What’s next? Scanning the horizon to identify and address emerging risks and disruptions. What actions are we taking now? What can the ERC do to help?

Benefits of Preparing for Disruptions:

  • We know disruptions will occur. Most disruptions now seem driven by forces outside a company’s control.
  • The key is building agility and resilience to manage whatever disruptions come next.
  • There is value in shifting the philosophy from focusing on the cause, to focusing on dealing with the disruption, recovering, and creating opportunities.
  • Requires focus - pay attention to the important, not the interesting.
  • Makes crisis management & business continuity an integral part of ERM.

Understand Challenges of Managing Third Party Relationships

Brittany Tomkies, a Manager serving in EY’s Risk Transformation practice, provided an overview of the multitude of risk issues that are important to consider and monitor as entities increasingly engage with third-party providers. Brittany began her presentation by defining third-party risk management (TPRM) as a process to allow an organization to identify, evaluate, monitor, and manage the risks associated with third parties and contracts. Brittany also identified several key drivers that highlight the importance of a robust TPRM process:

  • Significant disruption can impact revenue and reputation: The risk of service failures, security breaches, revenue loss, supply chain interruption, loss of customers and penalties can negatively impact the reputation of organizations.
  • Extensive dependence on the third-parties: Key operational, financial and compliance-related functions are increasingly placed in the hands of third-parties or the technology solutions they provide.
  • Increased data protection obligations and regulatory focus: Complex laws and regulations mandate that corporate control activities extend to third-parties when appropriate.
  • Efficiency gains: Companies seek to reduce costs, increase efficiencies, and drive quality back-office functions. Many institutions incur redundant costs when the same suppliers are independently assessed multiple times.

Brittany laid out a model TPRM process she and her team can implement and introduced a set of key questions to stimulate discussion about this topic. These include:

  • What type of third-party risks are important to your organization?
  • Does your organization have a comprehensive inventory of third-parties and existing third-party risks?
  • Are you able to differentiate among third-parties in order to align resources against the most significant third-party risk areas?

Business Case for Explicitly Focusing on Third Party Risk Management

  1. Unmanaged risks can lead to significant disruption impact on revenue and reputation.
  2. The dependence on the third-parties is extensive and growing quickly for most organizations.
  3. Increased data protection obligations and regulatory focus encompasses data impacted in many ways by third parties.
  4. Efficiency gains can be realized if risk management efforts are coordinated and consolidated across third parties.

Finally, Brittany closed by highlighting key findings from the 2021 EY Global Third-Party Risk Management Survey.

Formalize an Explicit Strategy to Manage Third & Fourth Party Risks

Our fourth session was led by Whitney Heflin, Senior Director of Enterprise Risk Programs at Blue Cross Blue Shield of Florida. Whitney began with an overview of the third-party risk exposure at BCBS of Florida and talked about the process of winnowing down the list of 3000+ potential third parties to those that require monitoring (approximately 800-900 entities), those that require TPRM oversight and required mitigations (about 100) and the group of critical third-parties that are the subject of ongoing robust contingency planning activities and prioritized sourcing strategies. Whitney stressed that there is no one “right way” to govern a TPRM process, but by understanding the range of centralization options, and their impact on cost and complexity, Florida Blue was able to develop a better understanding of the tradeoffs BCBS of Florida was making.

Centralization of third-party risk management can help prioritize third party risk assessment to a focus on those most critical to the organization where robust contingency planning creates the greatest value.

Whitney also highlighted that establishing a target future state allowed them to successfully navigate improvement efforts. She stressed that a strong, collaborative relationship with procurement is critical for TPRM success. Finally, she cautioned against becoming overwhelmed by the data but to recognize that it exists and can be leveraged. Try to centralize, simplify, and automate processes where possible. Finally, Whitney shared the biggest lessons learned in their TPRM process evolution: Establish external context early to create executive leader buy-in; implement project management discipline; identify the need for change management; and employ lean thinking early and anchor work using the supplier life cycle.

Build a Robust Board + Management Risk Program

Joe Pugh, Director of AARP’s ERM and Compliance efforts, led our fifth session. Joe is the architect of the ERM program at AARP and helped establish the risk governance cadence that provides risk information to executives and the Board of Directors as they make key strategic decisions. In his session, Joe shared insights about what AARP has done to engage both the board and the senior management team in an integrated partnership that leads to an effective approach to ERM.

Joe discussed four key components of the ERM process that he believes have been integral to the success of the program at AARP. First, he stressed the importance of the creation of a ‘risk working group’ that consists of two members of the AARP board, four executive team members, and an ERM facilitator. This group was tasked with establishing ground rules for engagement, to meet on regular basis between Board meetings, to create a sense of collaboration and shared responsibility, and to develop ERM advocates within the organization. Next, a robust education effort was undertaken to provide a foundation and to level-set the ERM process while clarifying board risk oversight responsibilities. Third, a joint risk assessment survey is used to identify gaps between management and board perspectives on the likelihood and impact of potential risk events, which serves to stimulate risk conversation where such gaps exist. Finally, a joint risk scenario workshop is conducted to deeply explore the potential implications of key risk exposures. Joe closed with key takeaways from this effort: (1) Board and executive management now reach a consensus on the critical risks driving strategy, (2) AARP can now formally bake risk appetite into the strategic planning process, (3) There is an annual cadence for the review of risk appetite, (4) Robust strategic conversations are happening in the board room, and (5) A more risk savvy board.


Steps to Strengthen Board + Management Risk Partnership

  • Create a risk working group of management and board.
  • Educate to provide foundation and to level-set the ERM goals and roles.
  • Identify gaps in risk views between board and management.
  • Engage in discussions about potential risk exposure gaps.

Seek Innovation Opportunities in ERM

Our final session of the ERM Roundtable Summit featured a presentation by a team of our Jenkins Graduate School students who have developed a case study identifying innovation opportunities in ERM. The team consisted of Carson Best, Bibiche Bolobiongo, Madi Bonello, Peyton Gilbert, and Ashwin Ramachandran and was supervised by Ericka Kranitz, Director of the the Master of Management, Risk and Analytics program in Poole College. The student team interviewed a number of ERM leaders in a variety of organizations and posed the following questions to them:

  • What have you done in the last two to three years to advance your ERM program?
  • What is on your ERM to-do list for the next two to three years?
  • How do you envision ERM in your organization a decade from now - in 2032?
  • What qualities and skill sets are important for new hires and what development opportunities have you created for current employees?

Four key themes emerged from their conversations. First, culture is critically important to the success of ERM and that will only be increasingly true in the future. Senior management must continue to establish the proper tone to encourage buy-in across the organization. Second, the expanded availability of data and the use of data analytics will be crucial. We live in a data-rich world and leveraging the opportunities this presents will be both a challenge and a significant opportunity. Third, talent risk and solutions are affecting all organizations. The ideal ERM candidate was identified as someone who is a natural problem solver, who is comfortable presenting strategic information, and who knows how to ask the right questions. A blend of both soft and technical skills will be required for ERM innovation to occur. Finally, the ability to think strategically and be forward-looking is essential. Innovation can take place when we can associate individual risks with emerging risk themes, when we can proactively act on opportunities, and when education efforts within the organization create new opportunities for honing our gaze on the emerging risk landscape.


4 Themes to Support Innovation in ERM

  • Culture is critical: Buy-in to the importance of ERM for the organization is critical for fostering innovation.
  • Data Analytics will be crucial: Leveraging data to generate more real-time, holistic metrics of emerging risks will be a game-changer.
  • Hard and soft skills needed for risk leadership: Problem-solving skills and strategic mindset lead to innovation opportunities.
  • Forward-Looking focus: A strategic, forward looking mindset helps look beyond the status quo of ERM processes to pinpoint new opportunities.

Download the full article

Join our ERM email list below for more opportunities to engage with us on ERM topics at events such as the ERM Roundtable Summits.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

Related Resources

ERM Enterprise Risk Management Initiative 2022-04-29