Susan Wilson, Vice President and General Auditor at Winston-Salem, NC based Reynolds American Inc., was the featured speaker at NC State University’s October 27, 2006 ERM Roundtable.  Her presentation provided an overview of how the 2nd largest U.S. cigarette company has implemented enterprise risk management (ERM).

Wilson described the Reynolds American approach of integrating IT risk management and strategic planning processes that resulted from the 2004 merger of RJR Tobacco and Brown & Williamson Tobacco companies.

ERM Drivers at Reynolds American

The development of ERM processes at Reynolds American is driven by both external and internal demands. Rising external expectations for more robust risk management practices, such as the NYSE audit committee requirements for oversight of risk management and credit rating agency focus on ERM practices as part of their rating assessment processes, are providing strong incentives for Reynolds American to continually strengthen its approach to risk management. Additionally, internal demands from senior management for better decision making and improved performance also call for a cross-company view of risks and a strengthened risk-aware culture across all employees of the company.  Both senior management and the Reynolds American Board of Directors identified ERM as an emerging best practice and sought to strengthen their approach to managing complex risks across the enterprise.  ERM is helping to meet those needs.

Merger Integration Activities Leveraged to Launch ERM

The merger of RJR Tobacco and Brown & Williamson Tobacco companies (which created Reynolds American), afforded senior management opportunities to integrate existing best practices into a coordinated ERM approach.  Prior to the merger, Brown & Williamson had a robust risk assessment process, while RJR Tobacco had a strong strategic business process evaluation methodology.  The blending of risk management and strategic business process practices provided the opportunity to create a cross-company ERM process tied explicitly to strategic planning and oversight. Hence, Reynolds American’s ERM approach did not require the creation of new systems and processes.

The initial approach to launching ERM was designed to capture easy-wins from ERM.  Like any organization involved in merger activities, there were numerous other initiatives, such as the combination of operations, consolidation of plant operations, and challenges associated with the initial compliance to Sarbanes-Oxley requirements.  To deal with these challenges, senior management chose to focus on creating an “ERM Lite” framework that sought to capture numerous benefits of a holistic approach to risk management while at the same time ensuring the approach was pragmatic, with an emphasis on substance over form in light of the company’s existing culture.  Reynolds American built its ERM framework off COSO’s Enterprise Risk Management – Integrated Framework (see  They also used external consultants to provide “sanity checks” to highlight any significant gaps in their approach.

Developing a Risk Universe

The company defined its risk universe as consisting of five categories of risks, illustrated in pyramid form, with “Strategic Business Risk” at the top of the pyramid:

1. Strategic Business Risk
2. Marketing/Business Risk
3. Financial Performance Risk
4. Operational Risk
5. Compliance, Financial Reporting, and Fraud Risks

Within each risk category, specific risk drivers were identified.  For example, for Strategic Business Risk, they focus on the company’s brand portfolio, the life cycle of the industry and Reynolds American products, joint venture activities, and its organizational culture and structure, among other areas.

Creating a Ongoing ERM Process

Once the five risk categories were identified as the company’s ERM risk universe, senior executives leveraged ongoing dynamic processes to create an ERM framework designed to constantly connect risk assessment and strategic planning activities.  The goal was to embed risk management in strategic risk and business process risk assessment processes so that employees throughout the organization would have a risk lens to apply to their analysis of business process activities. In fact, no one individual in the company holds “risk” in their job title – rather it’s everyone’s job.

By leveraging existing strategic planning and risk management practices of the two merged tobacco companies, Reynolds American created an ERM process illustrated by the following diagram (for a enlarged view, see slide 32 in the linked presentation slides noted at the top of this summary):

Overview of Five Step Process

ERM at Reynolds American begins with a strategic risk assessment.  At this stage, management conducts a “deep dive” analysis of the company’s top 25-30 strategic risks.  They identify key strategies and related threats, quantifying both the likelihood and impact of risks, and they identify risk gaps. This process is led by both the Senior Vice President of Strategy and Planning and the Vice President & General Auditor, with oversight provided by the senior management of Reynolds American and the company’s audit committee.

Step Two takes the risk gaps identified in the initial step and folds risk mitigation strategies into the annual operating plans for the functional units involved.  That process builds the risk mitigation strategy into the operating budget process.  Then, risk mitigations are mapped into business processes and activities in Step Three to ensure that the most significant risks affecting the process are addressed.  Critical success factors are identified, risks are classified by type, and functional owners are assigned.

To ensure that risk responses are implemented as planned, the annual audit plan for Internal Audit is adjusted to ensure that the significant risks within business process areas are a part of the audit scope.  From that audit focus in Step Four, Internal Audit prepares a top-line recap of key strategic risks for senior management and audit committee review.  That report includes an assessment of changes to key risks, including progress reports about mitigation strategies, along with the identification of any emerging risks.  Existing risk gaps highlighted in Step Five are then fed back into the subsequent year’s “deep dive” strategic risk assessment, which starts the process anew.


Reynolds American has used an evolutionary ERM approach to create a comprehensive risk management program that conforms to the company’s business needs and culture.  Wilson noted that one of the keys to the successful launch of ERM is the level of support by top leadership, including the CEO.  While the company’s process is working effectively in its existing environment, ERM is still evolving at Reynolds American.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2006-10-27