Strengthening Risk Oversight: Practical Lessons from Cree, Inc.

Scott McKay, Director of Corporate Audit for Cree, Inc. spoke at the October 2nd, 2009 ERM Roundtable regarding ERM processes at Cree Inc., which manufactures and sells LED lighting with annual revenues exceeding $500 million. McKay noted that most people stumble when creating an enterprise risk management system because they focus on small process-level risks instead of keeping their focus on big picture, entity-wide risks. He began the core of his presentation with an introduction on how Cree approaches the identification of key risks, with particular emphasis on the differences between process or activity level risks and entity-wide risks. McKay highlighted Cree’s qualitative and quantitative techniques for assessing risk and assigning those risks to owners. Lastly, he accentuated the importance of communicating these results to the right people throughout the organization.

Risk Identification

McKay noted that the achievement of corporate level objectives often falls short due to one of the following risk management failures:

1. Failure to identify risk—the risk was unforeseen
2. Failure to manage risk—the risk was identified, but not managed appropriately
3. Failure in the execution of the risk response – controls to mitigate the risk failed

Cree, Inc. built its ERM processes off COSO’s Enterprise Risk Management – Integrated Framework.  The ERM framework provides a way for businesses to incorporate risk management into their day to day operations. McKay emphasized that the framework was useful to him and others assisting in the launch of the process.

When seeking to identify entity-level risks, McKay noted that it is essential to start with entity level risks instead of activity level risks during the risk assessment process. According to McKay, activity level risks can often be seen as “weeds” that distract management from identifying broader, enterprise risks likely to have the greatest impact on corporate objectives.  Thus, McKay insists that entity level risks should be the only items discussed with strategic managers.

A good way to identify the entity-wide risks according to McKay is to go through risk factors of other entities in your industry. This provides a good starting point because often the list of entity-wide risks is too long to deal with. The audience of strategic managers will be lost in all the risks if they are not narrowed down to the ones that are likely to be most important. McKay introduced Cree’s entity-level risk model as an example of how to assess listed risks. Risks should be given a name, a description, and a downstream effect should be determined. Although there are many effects of an entity-level risk, it is important to keep the audience’s attention by listing only the umbrella risks and leaving the details for the more technical analysis.

To gather a list of entity-wide risks at Cree, McKay facilitated group workshops with key management leaders.  Each workshop was done in a group setting, whereby managers were asked to think about key risks along several dimensions provided by McKay.  Each workshop was limited to one hour.  At the end of each meeting, McKay left with a list of key risks and assessments of their likelihoods and impact.  Later, he compiled those risks and presented them to the CEO for review and feedback.  CEO perspectives were added to the enterprise risk summary that compiled top risks across functional areas of the enterprise.

Risk Assessment

To leverage risk, McKay finds that a heat map that addresses entity-level risks is a great starting point. McKay suggested spending a great deal of time designing the heat map and ensuring that its users will be able to understand it. He suggested starting with the likelihood of the risk occurring. Cree’s heat map categorizes risks based on the following five categories:

1. Remote
2. Unlikely
3. Possible
4. Likely
5. Probable

In order to determine the values of these categories, McKay found that it is easiest to first establish the definitions of the extremes and the middle value before proceeding to the second and fourth values.

Similarly, Cree uses a five-point scale to assess impact:

1. Trivial (no noticeable impact on achieving objectives)
2. Inconsequential (may have some undesirable outcomes relative to objectives)
3. Significant (more challenging to achieve some objectives)
4. Material (difficult to achieve multiple objectives)
5. Very Material (may affect the company’s ongoing existence)

To assess the impact, McKay recommended determining the high, medium, and low values first. A way to determine the levels of impact, Cree started with setting low bars measuring of cash or earnings per share. The impact of the risk could be compared to earnings per share by determining what quantity of risk would drive the dilution of earnings per share. From this calculation, one could assess whether a particular event was trivial or quite material to the going concern of their entity. He noted that it is important not to rush the heat map design process because if accurately defined, it will provide a good level of guidance for risk assessment.

Evaluating Risk Responses

Managers should be confronted with questions about how they think risk is managed. Most managers believe internal controls manage all company risks; therefore, it is important to assess the effectiveness of internal controls. An assessment of control maturity should be conducted using a matrix that identifies the level of control maturity and a description that users will understand. All those involved with risk management should be exposed to this matrix and it should be explained to them in detail.

It is important to walk through this matrix wit the CEO separately from other risk managers so that biases are absent from the results. McKay provided a matrix for assessing control maturity and explained the levels in the scale. Immature controls can be matured by implementing policy, but documentation must be created for the controls to be defined. Once controls are defined, risk management should be recognized and key performance indicators should be established to identify whether controls are preventative or detective.

Communicating Results

The key to communicating the results is getting people to support and own the risks that have been identified. Before communication can be effective, McKay emphasized that it is important to be sure that risks critical to achieving objectives have been identified and risk tolerances have been established and aligned with those risks. This tolerance level should be communicated company-wide and made clear to all management and employees.

Risk owners should also be identified because the company cannot be responsible for any risk: risks must be owned by someone. The results can be communicated using the heat map designed by risk managers. McKay noted that adding color to the heat map is always beneficial because it gives a visual representation of the results. It is also helpful to group certain types of risks that are acceptable while making clear other types that are not acceptable under most circumstances.

Before his conclusion, McKay provided four tools for effectively establishing a risk management program and communicating it on an entity-wide level. These key points are listed below:

1. Collect a list of risks and identify them appropriately.
2. Produce a good quality heat map that is understandable to its users and representative of risk likelihood and impact.
3. Develop a control maturity scale.
4. Create a short slide deck (one hour presentation) to communicate risk assessment to risk owners. This is important to the culture and will help win the support of the audience.

McKay concluded by reemphasizing the three reasons objectives often fail to be achieved. He also reiterated the importance of keeping communication throughout the entity at a high level and staying out of the so-called “weeds”. Enterprise Risk Management touches a number of risks and in order to gain the attention and support of strategic managers, it is important to emphasize the key concepts of risk management while leaving out the technical details.