“Nuggets” from the Fall 2016 ERM Roundtable Summit

          Participants tell us that the greatest benefit they receive from the NC State ERM Roundtable Summit is the number of practical tips or “nuggets” that they hear from the experiences shared by risk leaders from across the country.  This fall’s Summit was no exception.  We had risk leaders from General Motors, Vanguard, SAP and Estee Lauder share their unique experiences in launching, sustaining and advancing successful ERM programs.

      Angela Hoon and   Krysta MacDonald of General Motors got us started with a discussion of how GM went about changing its risk management paradigm from a “check the box” mentality to a process more focused on emerging strategic risks, both short and long term, as well as those medium term risks most critical to GM overall.  Importantly, getting to a more strategic focus starts with titles and terms; Angela and Krysta are both part of the Strategic Risk Management team, which puts the focus on the strategic, enterprise wide risks and helps to shape the perceptions of risk management within the company.  Like many organizations, GM conducts risk assessments within business units and regions; however, the conversation focuses on just the top 5 risks in each area and then aggregates those risks to spot trends at the enterprise level.

      Beyond that GM, has implemented several innovative tools and processes to more effectively manage risks:

  • Risk Sensing Networks – creates cross functional relationships that share data to help manage operations by combining human insights with analytical capabilities.  These networks look both internally and externally for anomalies outside expected patterns and existing trends.
  • Social media pilot – assesses both volume and content of social media activity around commonly used phrases, turning “noise” into value-added business insights.
  • Blind spot Workshops – uses focus groups to provide independent perspective on risks related to a specific topic.  A blind spot is defined as an “unknown, unknown” or unpredictable or unforeseen event which could be caused by organizational complexity, executive over-confidence or submissive subordinates.
  • Risk Interconnectivity – connects risks across silos to generate a network, interconnected view of risk.  A network of interconnected risks includes critical risk clusters – a group of tightly connected risks that may produce a contagion and that are often triggered by similar root causes. Rather than focus on risk outcomes (e.g., the top 15 risks facing the organization), the risk cluster analysis seeks to identify common root cause symptoms among the top risks to the enterprise so that root causes might be addressed to lower the probability and impact of a collection of risks.  These risk relationships are shown visually in a network diagram.
  • Game Theory and War Gaming – serves as decision support tools.  The risk management team has expertise in applying these techniques which brings them to the table for key strategic decisions.

        While most organizations may not have the resources to deploy all of these tools, there are some key takeaways for all risk managers.  Traditional ways of managing risk may not drive the right focus, and therefore risk management programs need to keep pace and try new techniques to get fresh perspectives on risks.  At the end of the day, generating risk awareness and conversation within the business can yield greater value than pushing paper.

    Adam Rosenthal, the Head of Operational Risk Management at Vanguard shared the ERM journey at Vanguard from a fragmented process to a more structured foundation to more technical consulting that retains and strengthens risk management capabilities to leverage the current operating model and reduce operating costs.  The vision and goal for Vanguard is to have a risk management culture that will permeate all levels in Vanguard so that ultimately every employee sees risk management as a core part of their duties and a source of competitive advantage.  

        Adam stressed the importance of having a common risk taxonomy to use to label all risks to facilitate meaningful aggregation at the entity level.  Without that type of structure it would be difficult to categorize and analyze risk themes across the enterprise.  One key question that Adam raised was whether your organization’s management team uses the tools the ERM team has put in place.  He stressed that it is important to segment your internal customers to understand their different needs and to be responsive to those needs.  For example, the CEO and board of directors will be most focused on the top down risk assessment, and that will also be important in each division and business unit; however, the business units would also need risk assessments relating to projects or programs and service providers, as well as operational risk assessments to determine the effectiveness of operational risk controls.  Adam also shared the dashboard his organization uses which described drivers and outcomes related to risks as well as the effectiveness of risk management efforts.  Management bonuses are based upon the effectiveness metrics shown on the dashboard.  This alignment of incentives keeps the appropriate focus on risk management activities.

          At the conclusion of Joel’s presentation, participants were given the opportunity to engage in interactive discussions of topics that are top of mind for them.  A member of NC State’s ERM Advisory Board was seated at each table and helped to facilitate the discussions.  The topics discussed ranged from tips for starting an ERM process to risk reporting, to effectively defining strategic risks, to developing risk appetite and more.

  Lise Møeller Frikke, Vice President, Global Field Risk Officer at SAP Americas, Inc.  shared the ERM journey at SAP including the acknowledgement that even a sophisticated software company began over a decade ago their risk management process using Excel and Power point to document risks, but now have developed software tools to better manage risks.  A critical part of the success of the risk management function at SAP was in changing the role of the risk manager from that of a pure facilitator to more of a business partner with a dual role of both ensuring compliance but at the same time enhancing SAP’s capability as a risk intelligent enterprise. That transition includes raising awareness of key risks and making informed business decisions in a simple and effective way.  ERM is tightly embedded in the organization’s decision making process, and a strong risk culture is driven and exhibited by senior management in the company.

    Many risk professionals struggle with tangible examples of how effective risk management adds value.  Lise shared four specifics with the audience:

  • Risk reporting aligned with business goals has served as the basis for the achievement of strategic objectives
  • Engagement in an effective ERM process supports negotiations with insurance companies and has resulted in significant reduction in insurance rates
  • The engagement in enterprise-wide risk oversight has become a differentiating factor in competition with other suppliers, particularly with regulated entities
  • The output of SAP’s ERM process has facilitated a better calculation of risks that is used in establishing fixed-price contracts and management of those risks helps to achieve expected profit margin

    While not all of these opportunities will exist in all industries, this is certainly a beginning point for identifying specific value adds for the ERM function.

Frank Fronzo, Vice President, Assistant Treasurer, and Corporate Risk Officer for The Estée Lauder Companies, Inc. wrapped up the day by sharing the ERM process and some specific templates his firm uses.  Estée Lauder uses a risk committee structure that includes a corporate level risk management committee as well as eight risk subcommittees focused on specific critical corporate risks.  All the committees are on an annual cycle with four meetings per year with specific content and deliverables specified for each meeting.  It is the responsibility of the corporate level risk management committee to identify and prioritize the critical corporate risks, and to validate and approve corporate risk appetite, risk mitigation of critical corporate risks, risk ownership, and risk monitoring and metrics.

    Some key insights that Frank shared included the lessons learned regarding risk identification – the quality of input received was greatly enhanced by conducting interviews rather than using surveys.  Having a face-to-face discussion brings out risks that may be overlooked or not fully examined when a survey instrument is used.  Another key “nugget” from Frank’s presentation was the documentation of opportunities that may arise from a specific risk event.  In this way, the company focuses on not just the down side but also the upside of uncertainty, particularly the advantage the company may gain by effectively responding to risks.  He also shared the dashboard that is used for risk reporting, which includes inherent risk scores, mitigation sufficiency ratings, residual risk scores, and the risk outlook.

    The examples all of our speakers shared provided a good basis for comparison back to the practices at each participant’s organization, and I think everyone saw some areas where they could potentially improve their organization’s process.  Whether it was techniques for identifying the “unknown, unknowns”, creating a stronger risk culture, realizing tangible benefits from ERM, or improving your risk reporting, there were multiple opportunities to take back valuable tips to make your risk management practices more effective.

    Download a copy of the article   here.

  FRIDAY, APRIL 28, 2017  



    As Executive Director of North Carolina State University’s ERM Initiative, Bonnie Hancock works closely with  senior executives as they design and implement enterprise risk management (ERM) processes in organizations they serve. That hands-on advising leads to insights about techniques useful in addressing a number of practical challenges associated with ensuring ERM processes are value adding without over-burdening the process.   

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

Related Resources

ERM Enterprise Risk Management Initiative 2016-11-07