At every ERM Roundtable Summit, participants discover innovative and practical tips for making their ERM process better and they find new ways of looking at how their process helps management respond to and manage key risks. This spring’s event brought fresh insights from risk leaders at Lowe’s Companies, General Mills, Carnegie Mellon, and General Motors.
“Integration” of Strategy and ERM
Sean Browning, Director, Enterprise Risk Management, Lowe’s Companies, Inc. kicked off our session by sharing how he connects and leverages the ERM process he leads with the strategy at Lowe’s Companies. Sean used a couple of terms and concepts that I had not heard before in the context of ERM and had some great advice for positioning the ERM function to be value-adding.
Sean sees his role as a one of “constructive agitation” in order to open up the thinking around potential risks and opportunities. One of the key ways he accomplishes this is by looking for the “illusions” that the organization may have about its business or a particular strategy. And by “illusions” he means those assumptions that are being made either about the future state or about the organization’s capability to manage particular risks. He has a menu of questions that he uses to unearth these illusions including inquiries about greatest challenges to executing strategy, critical organizational capabilities that may be lacking, emerging risks for which the organization is least prepared, and the risks or challenges that may need more visibility.
Sean offered several key pieces of advice on aligning ERM with strategy. Noting that risks frequently drive strategy, he urged ERM professionals to partner on the front end of strategy development, and be supportive of business case development and stage gating. Recognizing the challenges ERM functions sometimes face in getting a seat at the table, Sean emphasized the importance of embedding risk-mindedness in risk owners, approvers, and leadership and how sometimes it helps to scale the ERM effort through others. He also suggested focusing on capitalizing the doors that are open while working around the ones that are closed. Having a standard framework and taxonomy usually makes it easier to create a risk-aware culture.
Because Sean focuses so much on having the right conversations around risks, he developed a unique “ERM Stakeholder Tracker” that sets a target level of engagement regarding ERM matters with key stakeholders across the business and then tracks his contact with them and their level of risk oversight engagement using a color coded system that then rates that stakeholder’s overall engagement on ERM related matters. This tracking allows for a quick prioritization of those stakeholders that should be contacted in the near future to refresh risk or mitigation plan status.
One of the points emphasized in this session – that ERM is a dynamic and evolving process that must be flexible, adaptable and opportunistic – was a great segue way into our next session on transforming an ERM process.
ERM Transformation at General Mills
Andy Vergeront, Director Global Internal Controls and ERM at General Mills is a relatively new leader of an ERM process that had been in place for over 16 years, and was ripe for a re-vamp. There was some pressure from the audit committee of the board of the directors to change the ERM process so that it would be more plugged into the strategic planning process, begin measuring the effectiveness of mitigations, and provide more focus on risk appetite. Through benchmarking efforts, other gaps were identified in the process including the need to have more senior involvement and more accountability across the organization for risk management.
The major changes proposed from this benchmarking process were
- Smaller, more senior ERM committee (changed from 30 to 11 members and from officers/directors to senior leaders)
- Integrate ERM into strategic planning process (changed timing; engaged in deliberate strategic risk discussion)
- Assign risk owners for each remaining Operational risk who are accountable to functional leaders on Risk Committee
- Use broad surveys to gather perspectives on risk
- Add “Deep Dive Risk Analysis” to Risk Committee meetings
- Develop KRIs
- Assign operational risks to committees of the board of directors
These recommendations were accepted by the Senior Leadership Team and Audit Committee and are in the process of being implemented. Andy described this as delegating a lot of his job “up and out”; where there was not a lot of accountability for risk management across the organization before, now roles and responsibilities are much clearer. He emphasized the importance of looking at external benchmarks, but also fitting the process to the organization’s unique business model and culture. Senior leadership support is critical to success, and value must be demonstrated to gain that support. Finally, he emphasized the need to keep evolving and improving. You may not be able to implement all your desired changes at once; don’t be afraid to start with “half a loaf”!
An Overview of the CERT Resilience Management Model (CERT-RMM)
Katie Stewart, Senior Engineer, Software Engineering Institute, Carnegie Melon University outlined CERT’s resilience management model that organizations can use to manage cyber and other operational risks. The resilience model focuses on the organization’s ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from many different types of events from deliberate attacks, accidents, or naturally occurring events.
Katie outlined the value proposition for developing cyber resilience which includes simplifying complex cybersecurity challenges, balancing risk and cost, standardizing an approach that focuses time and effort on assets needing protection, and managing interdependencies and internal and external organizational challenges and silos. She then went on to describe the building blocks of resilience management. The process of developing resilience starts with identifying an organization’s services and products that are most critical to carrying out the mission.
Once those high value products and services have been identified, Katie recommended that you look at those business processes or productive activities that must be performed in order to deliver the products and services. Then you identify the assets that support the processes and activities critical to delivering products and services which may include people, information, technology, and facilities. The assets derive their value from their importance in meeting the service mission. The operational resilience has to start at the asset level, and is focused first on protecting the assets from exposure to disruption (e.g. information security), and then sustaining the productive capacity of the assets during adversity (e.g. business continuity). Organizations should strive to achieve the optimal mix of protection and sustainment strategies by looking at the value of the asset to the service and the cost of deploying and maintaining the strategy.
Katie then went on to outline the CERT Resilience Management Model (CERT-RMM) that provides guidelines and practices for converging various operational risk management activities, implementing, managing and sustaining resilience activities, and measuring and institutionalizing the resilience process. The complete resilience model is available for free download at www.cert.org/resilience.
A Peek Under the Hood: GM’s Toolbox for Managing Strategic Risks
We wrapped up the day by taking a “peek under the hood” at GM’s toolbox for managing strategic risk. Angela Hoon, Kelli Santia, and Ken Shogren covered GM’s approach to strategic risk management and some unique tools that their organization uses to manage risks. The process GM uses differs from the traditional, heat map approach to risks and instead uses a network risk model that looks at the connections between risks, identifying and connecting causal risks and effect risks. The network approach can improve both impact and probability assessments and put the focus on clusters of risks to improve mitigation planning and strategy development.
The process of developing the network risk model starts with risk identification through interviews and a workshop. Then connections are identified by surveying workshop participants, and performing a network analysis with that data to identify the most critical risks/clusters. At that point the strategic risk management group convenes additional workshops that leverage Design Thinking concepts to determine how to address those most critical risks/clusters.
Next on the agenda was a discussion of the use of game playing to develop strategies. While we typically think of playing games as a recreational amusement, in fact, there are many instances where playing out a game can be invaluable in developing strategy. Four key elements make up a game situation: multiple players, decision-making, uncertainty, and replays. Putting together these elements into a game allows testing of multiple decisions under uncertainty before committing to irreversible action. Multiple players can influence the outcome of a challenging situation and therefore it is important to plan for opposition by other parties. The path to reaching a goal or challenge is almost always filled with choices, and a strategy has to be developed to make those decisions. Uncertainty comes from other players’ actions, other unknown forces and randomness, and gaming allows you to develop a strategy to anticipate and account for that uncertainty. Finally, by replaying the game, you can see how different choices lead to different outcomes.
For gaming to be the right tool, you have to evaluate the situation you are attempting to address. It works best when you are focused on external players, you have a plan and know your choices and potential obstacles, and you face a significant cost if you fail. In these situations, war gaming is a tool that would be used at GM. War gaming is simply a group exercise that answers the question “What should we do?” A key element of war gaming is to have participants assume the roles of those external players and take actions in response to the company’s or another player’s actions. It is an excellent tool for considering countermoves and interactions among the real life players that provides both focus and breadth of understanding of the challenge. This will ultimately improve strategic decision-making. The strategic risk management group at GM facilitates war gaming workshops for many different challenges from labor negotiations, to regulatory challenges to international trade.
The speakers from GM wrapped up by emphasizing the approach their organization uses to achieve their risk vision. It includes the networked view of risk across the enterprise and the basic risk management foundation, but goes further by providing strategic tools to enable a risk lens. This makes up the strategic risk management group’s value proposition and allows the group to support the business in risk management and apply a risk lens to strategy and decision-making.
It was clear from this spring’s Roundtable Summit that companies are continuing to evolve their ERM processes and innovate in the techniques and tools they use to better manage risk. At the same time, the types of risks companies face are also changing, and companies must adopt practices that will provide resiliency in the face of these threats. Many new and practical techniques, tools, and examples were shared at this Roundtable Summit. Mark your calendars for the next ERM Roundtable Summit on November 8 so that you can get the latest ERM insights first hand! Register now!