In a report, authored by Sridhar Ramamoorti, Marcia Weidenmier Watson, and Mark Zabel, it shows that Enterprise risk management (ERM) requires looking at upside risks as well as risk mitigation and compliance. One way internal auditors can help their organizations improve their ERM processes is by using Six Sigma methodologies. These methods can aid an organization in taking a proactive approach to addressing upside and downside risks and creating stakeholder value. Six Sigma solutions can help internal auditors by providing new ways of addressing difficult measurement challenges and unsolved problems in the ERM processes of their organizations.
Six Sigma was originally designed to reduce defects in manufacturing processes. Its scientific, data-driven, project-based approach can be adapted to address defects in many different areas as of an organization. Risks are essentially “defects waiting to happen,” and Six Sigma techniques can be used to mitigate, transfer, or eliminate risks.
A central aspect of Six Sigma is its DMAIC problem-solving process: define, measure, analyze, improve, and control. This process guides process improvement by requiring a baseline for performance to be established before analysis begins and then only implementing solutions once their efficacy is clear. Standardization of solutions only occurs after process changes have been demonstrated to work. Six Sigma processes are, in general, incremental in nature and lead to evolutionary improvement in a business.
Relationship of Six Sigma and ERM
Six Sigma and ERM share some common goals and principles. Both focus on delivering value to stakeholders, rely heavily on business processes and data integrity, and deal with risk and uncertainty. It is the ways in which the two systems differ, however, that can prove useful to improving ERM processes in an organization. Six Sigma approaches risk and uncertainty from an operations and production viewpoint whereas ERM’s approach is from a financial reporting viewpoint. Also, Six Sigma is concerned with determining whether a process is improving over time, which can prove useful in measuring improvements in ERM processes. The structure, statistical methods, and deployment readiness of Six Sigma can enhance the application and effectiveness of ERM in three key areas: skilled employees, implementation tools, and value creation.
If an organization has implemented Six Sigma, they are already well-prepared to establish ERM. One mission of Six Sigma programs is to supply skilled employees for business improvement projects throughout an organization. Six Sigma programs also often have steering committees that prioritize project opportunities and allocate resources. These resources can benefit ERM projects and risk management concerns can be addressed on a consultative basis. In organizations that have not implemented Six Sigma, Six Sigma concepts, tools, and techniques can be introduced by internal auditors to help organizations assess risks facing all of their systems and processes and define, control, and improve their processes.
Internal auditors can implement a wide variety of Six Sigma tools to manage risk. One tool is failure modes and effects analysis, which prioritizes product, people, or process risks along three dimensions: likelihood, severity, and possibility of detection. This analysis can be used to quantify qualitative concepts that are typically hard to measure such as risk appetite and risk tolerance. Statistical process control uses tools like control charts to view all critical data simultaneously and direct an organization when to react to changing risks and environments. It can be used to answer questions such as: Can we do it right? Are we doing it right? Another useful Six Sigma tool is a capability maturity model framework, which could be used to track the effectiveness of ERM implementation and sophistication over time.
Six Sigma can also be used to create value in ERM by providing a systematic, disciplined means of keeping track of upside and downside risk. One Six Sigma tool that can create value is a Suppliers, Inputs, Process, Outputs, and Customers (SIPOC) relational map that illustrates input-output linkages and the impact on customer outcomes. By combining a SIPOC view with an analysis of the voice of the customer, an organization is able to focus on challenges related to defects in customer outcomes and potential opportunities that can create value in the marketplace. Six Sigma can also help organizations with ERM in the consideration of tolerance levels related to all possible outcomes in qualitative areas.
A key Six Sigma goal is often transferring management of a process from output to input. This translates into making ERM more effective by focusing on leading indicators to control risks in operations. Internal auditors can help ensure the appropriate risk tone is set in the control environment of an organization as part of the ERM process by facilitating departmental control self-assessments to identify risks and establish appropriate risk responses.