Implementation of enterprise risk management (ERM) tools--a case study.
Rao, Ananth
INTRODUCTION
Risk and the need to manage it is nothing new. Hoffman observes
that Maslow implicitly recognized risk in his famous hierarchy of needs
by placing food and shelter, both essential to survival and the first
rung of the ladder (Hoffman, 2002). A failure to manage the risk of
these needs not being met can have catastrophic results, as much for
organizations today as it was for the earliest life forms. Bernstein
cites the impact of wars on markets, and storms and piracy on shipping
routes as much as some of the major risks faced and managed by our
predecessors (Bernstein, 1996a). He also notes that only 350 years
separate today's risk management techniques from decisions made on
the basis of superstition and instinct (Bernstein, 1996b).
Are risk concepts today new to organizations?
If risk is nothing new to organizations, why is risk management
generating rising levels of interest at present as seen by the growing
volume of current literature on the topic? For example, Stevenson et al
propose that heightened levels of competition and a rapid pace of change
are destroying predictability for organizations, implicitly raising the
levels of risk faced (Steveneson, 1995), while Lewis claims that
modified competitive, technological, social, and political circumstances
have magnified the potential impact of operations-related failure
(Lewis, 2003). Delamontagne and Witzel echo this in stating that events
such as the September 11th terrorist incident in New York and the Enron
meltdown have moved risk management higher on the business agenda
(Delamontagne, 2003; Witzel, 2002). Hoffman (2002) maintains that
watershed changes in society, technology, science, and the
interconnected nature of global society and business make the subject
more relevant than ever before. He supports this position with reference
to a database of operational loss events suggesting that majority of
reported commercial losses have occurred since the beginning of 1990s.
Whether this rise in historical trend levels might instead be due simply
to improved record-keeping and transparency is unfortunately note
explained.
Seeking to understand the likelihood and impact of future events,
be they favorable or unfavorable, in order to maximize future business
performance, is a decades old activity: by the late 1960s, Royal Dutch
Shell had begun to develop scenarios that were designed to help
management prepare for future uncertainties. This preparation was useful
in enabling management to react more quickly to the 1973 oil crisis, for
example Wack and King et al were describing "long-range
planning" in terms similar to those used for risk management today
(Wack, 1985; King et al, 1978). Here the authors discussed the need to
generate predictions of the future along multiple dimensions (staff,
product, competition, etc) and compare these predictions to the desired
future organizational state to identify the management interventions
required. They noted that this planning process would not eliminate
risk, but should identify and help to manage risks, thereby increasing
the "benefit/cost ratio". In 1981, Pomeranz et al used similar
words to describe "strategic planning" (Pomeranz, 1981). They
observed that companies were increasingly engaging in strategic planning
in an effort to better manage the "shifting conditions which can
disrupt achievement of a company's long-range plan". They
characterize strategic planning as a process that attempt to match
environmental threats with corporate resources, and go on to suggest
that the auditing of strategic plans can help to define business risks
and verify that these risks have been "appropriately
considered".
Although the concepts described in these earlier papers have much
in common with risk management as it is understood today, efforts have
been made over the last several years to develop the frameworks, tools,
and processes to drive and support risk management as a discipline
separate from but aligned with strategic performance management.
Is the Concept of Risk Management and Management Action today
Realistic and Feasible?
The answer to this question lies in our careful understanding of
more inclusive definition of risk provided by the influential Risk
Management Group of the Basel Committee on Banking Supervision i.e.,
"the risk of loss resulting from inadequate or failed processes,
people and systems or from external events (The Basel Committee, 2001).
Using this Basel definition, for the risk management to be realistic
with a feasible management action, the management of risk must involve
actions taken by management to minimize the likelihood of asset damaging
or loss-generating events from occurring, and mitigating the impact on
the organization should they occur. Carey, in assessing the Turnbull
Report, issued to provide guidance to listed UK companies to help them
improve their internal controls notes that the report calls on boards to
identify risks that are significant to the fulfillment of corporate
business objectives and to implement a sound internal control system to
manage these risks effectively (Carrey, 2000).
In 2004, COSO (The Committee of Sponsoring Organizations of the
Treadway Commission) developed guidelines on the framework that would be
readily usable by managements to evaluate and improve their
organizations' ERM. According to the document, control is the
responsibility of the board of directors, management and other personnel
within the organization, not just the practicing finance managers and
accountants. Particularly relevant is the identification of risk
assessment as a vital component of control. The need of the business
practitioners today is about a framework which is easy to follow,
understand and apply through examples to implement enterprise-wide risk
management (ERM). This paper attempts to present such a framework
through case analysis for the benefit of integrating various concepts
for easy implementation.
Case study: Integration of Strategic control and Risk Management
The following case study in a business establishment in Dubai (the
name is kept anonymous for the sake of confidentiality) illustrates how
one private sector organization (Case A), uses ERM within its strategic
control process. The strategic framework closely aligns with the
concepts covered by the Basel committee recommendations and COSO 2004
document. The case study is organized in to three sections. Section A
illustrates the strategic framework adopted by the case company through
objective setting, risk identification, risk assessment, application of
value at risk (VAR) as a quantitative risk assessment technique employed
by the case company, and portraying risk assessment. Section B concludes
the strategic framework of the case company while, section C draws
implications of the framework to the practicing managers.
SECTION A
A.1 Objective Setting
Every firm faces a variety of risks from external and internal
sources, and a precondition to effective risk/event identification,
assessment and response is established in objectives. Objectives are
aligned with the firm's risk appetite, which drives risk tolerance
level for the firm.
In this perspective, Case A's strategic control process is
seen as a part of a wider corporate governance framework and includes
the responsibility for the Executive Management Team to set and
communicate long-term strategic goals/objectives for the company by
defining what the company objectives are set at the strategic level,
establishing a basis for operations, reporting and compliance as
illustrated below:
The Case A's strategic mission is to be a leading producer of
quality household product in the gulf cooperation council (GCC)
countries. Executive management translates these high-level strategic
goals in to an annual business action plan prioritizing activities and
initiative deemed to deliver most effectively and efficiently the
results required within existing resource constraints, and defining
specific objective. The annual business plans are amended throughout the
year as a result of an ongoing review process to incorporate new
operational learning, threats and other changes to underlying planning
assumptions, still in consideration of given resource constraints.
In Case-A, the strategic objective is to be one among the top 25%
of product sales in the GCC. The appropriate instrument for measuring
this objective is the market share. Market share itself is a function of
units of production and number of staff hired. Case A operationalizes
the strategy by "expanding the production of one of its five
business units (BU-A) in the GCC" to meet the increasing demand for
the retail products. While setting this operational strategy, the
company management recognized its risk appetite in that: (a) the
expansion of BU-A required increased capital investment in new assets,
people and process, (b) accept the fact that initially there is reduced
profit margin (PM) due to increased competition, and (c) the new
production should maintain high reliability in terms of MTBF (mean time
between failures).
With these risks recognized, the related operational objectives for
the company were: (a) to increase production of BU-A by 15% in the next
12 months, (b) Hire 100 qualified new staff across all manufacturing
divisions and (c) ensure higher MTBF as desired by the customers. Figure
1 shows the linkages of strategic objectives, and risk appetite to the
mission of the company. Case-A also specifies its risk tolerance limits
within which it operates comfortably. The last box in Figure 1
illustrates this risk tolerance limit.
A.2 Risk Identification
Initial risk identification happens throughout the organization as
an integral part of this business planning and review process, and risk
issues are referred for resolution in both a top-down and bottom-up
manner. Management of Case A defines enterprise risks as follows:
"potential events that, if they occur, will affect the firm, and
determines whether they represent "Opportunities (O)" or
whether they represent "Threats (T)" that might adversely
affect the firm's ability to successfully implement strategy and
achieve objectives.
This broad definition means that for this organization ERM overlaps
much of what elsewhere is considered to be the strategic control
process. Management of Case A identifies the following as Potential
events/risks:
* Tight job market (8 demand) causing fewer offers being accepted
resulting in too few staff
* Inadequate needs/job specification, resulting in hiring
unqualified staff
Identified risks are referred to standing committees: Audit,
Finance & Planning, and Human Resources. The committees are composed
of relevant subject matter experts within the appropriate functional
areas of the organization, assisted by the Strategic & Audit Risk
department.
Each committee is responsible for evaluating the risks referred to
them in terms of degree of risk (both likelihood and impact if
crystallized) as well as effectiveness of existing controls or
treatments, and the need for implementation of additional
controls/treatments in the form of proposed culture, process and/or
structural changes. The committees recommend appropriate courses of
action directly to the relevant divisions, who are then responsible for
incorporating the required risk mitigating activities into their
business plans. The committees are also responsible for monitoring
high-level risks and the implementation of their recommendations.
However, where recommended new controls and treatments cannot be
accommodated within existing budgets, new initiatives are prioritized by
the Executive Management team as part of the ongoing strategic
management and review process.
A.3 Risk Assessment
In Case A, the risk assessment process consists of four distinct
phases and is illustrated in Figure 2.
The first phase of the process, Risk identification, involves the
generation of a comprehensive list of events that could negatively
impact the achievement of the organizational objectives and outputs,
based on the high-level of strategic plan and lower-level business
plans. These were identified as: tight job market and inadequate job
specification resulting in hiring unqualified staff.
Next, during the Inherent risk analysis phase, the likelihood and
consequences of these events are quantitatively rated as low (20%
likelihood) or moderate (30% likelihood) or high (50% likelihood), with
consequences evaluated in terms of their impact on the
organization's stated objectives; impact is assessed on the
dimensions of financial cost, and business reputation damage.
[FIGURE 1 OMITTED]
The third stage of Case A's process, Existing Control Analysis
begins by analyzing the effectiveness of existing controls in responding
to these inherent risks, with controls defined to include policies and
procedures, and codes of practice. In Case A, these risk responses
include increasing compensation to the staff or outsourcing to overcome
if the risk is about less number of qualified candidates availability;
or reviewing hiring process every 2 years if the risk is within the
company's risk tolerance limits of stringent hiring process.
The fourth stage, Residual Risk Analysis, involves the impact of
risk responses in reducing the likelihood of inherent risk. The residual
risk analysis in Case A indicate that due to the risk responses, the
risk of less number of qualified candidates is reduced by 5% with only 5
unfulfilled positions against the possible 30 unfulfilled positions and
the likelihood of even this risk is very low (10%).
[FIGURE 2 OMITTED]
Management of Case A normally uses a combination of qualitative
(risk mapping) and quantitative (probabilistic techniques such as: Value
at risk (VAR), scenario analysis methods) in its risk assessment. It is
interesting to see how Case A uses VAR in minimizing risk of loss in its
asset value in its new proposed business unit BU-A using equity value as
the metric. This procedure is explained below for the benefit of those
practitioners who find VAR technique in assessment of its risk
cumbersome and unwieldy.
A.3.1 Value at Risk (VAR) Technique
VAR are quantitative probabilistic models to estimate extreme range
of value ) (where ) refers to change) expected to occur infrequently.
This involves the following steps:
1. Value the asset using today's price V0. To value the asset,
Case A knows clearly the drivers of the asset pricing i.e., the market
factors which determines the price/value of the asset.
2. Revalue (simulate) the asset using a "number of alternative
price lists" and calculate the changes in the asset value )Vi i =
1,2, ... N (months/days).
3. Given a distribution of value changes )Vi, VAR is specified in
terms of confidence level. The risk manager of Case A calculates the
maximum value that the company can loose over a specified time horizon
at a specified probability level. For instance, the risk manager defines
the maximum loss for a 1-day period or 1-month period at 95 percent
probability i.e., the loss that should be exceeded on only 5 days out of
100 business days or 1 month out of 20 months of business operation and
the like.
A.3.2 Application of VAR
Case A's financial manger's objective is to calculate a
1-month 95 percent confidence level VAR for the asset A of his company.
The manager earlier tried to use capital asset pricing model (CAPM)
framework for assessing the asset value. The manger later learnt that
CAPM is not the appropriate asset pricing framework in the Middle-East
due to market imperfections (Rao, 2000). So the manager adopts the
following multi-factor model to value asset A since market index, United
Arab Emirates (UAE) bank interest rate, and monthly oil price are key
market factors that drive the value of the asset in the UAE.
R = [alpha] + [[beta].sub.1] ([R.sub.m] - [R.sub.f]) +
[[beta].sub.2] (OP) + [[epsilon] Equation (1)
Where
R = Value of asset A in terms of daily percentage returns
[alpha] = Constant term
[[beta].sub.1] = sensitivity of the asset to market return
[R.sub.m] (proxied by NBAD (National Bank of Abu Dhabi) market index or
EMI (Emirates Market Index)
[R.sub.f] = Risk free interest rate (bank monthly rate)
[[beta].sub.2] = sensitivity of the asset to oil prices (OP) and
[epsilon] = error term
Case-A financial manager performs the following steps in its VAR:
Step 1: Collect the following monthly basic data for Asset
of Case A.
N Price (A) Dhs Mkt NDX [R.sub.f] OP
3 88 1201.87 0.5053 23.59
4 90 1368.36 0.5053 24.31
5 87.5 1196.18 0.5053 25.46
6 89 1308.89 0.5277 26.66
7 100 1314.56 0.5277 27.66
8 110 1431.8 0.5277 25.52
9 119.5 1415.14 0.5240 27.42
10 115 1440.88 0.5240 27.62
11 116 1499.66 0.4193 30.88
12 116 1549.39 0.4193 30.61
13 118 1559.78 0.4193 33.06
14 119 1568.76 0.4680 34.13
15 126 1660.65 0.4680 36.77
16 141.1 1817.05 0.4680 35.89
17 150 2007.6 0.6557 37.22
18 159 2028.8 0.6557 40.92
19 175 2102.94 0.7693 41.91
20 168 2489.91 0.7693 40.14
21 192 2923.9 0.7693 38.95
22 229 3360.92 0.9377 43.53
23 265 4331.55 0.9377 49.90
24 372 5398.95 1.1283 51.03
25 337 4992.11 1.3450 57.05
26 360 5593.64 1.3450 61.78
Current value 5700 1.35 62.00
([V.sub.o])
[DELTA] [DELTA]
N Price (A) Dhs [Rm.sub.i] [R.sub.a] [DELTA] OP
3 88 7.20345071 -0.1127 -4.17
4 90 7.32176488 0 0.72
5 87.5 -26.4355257 0 1.15
6 89 22.005441 0.0224 1.20
7 100 -8.98930346 0 1.00
8 110 8.48538203 0 -2.14
9 119.5 -10.0821438 -0.0037 1.90
10 115 2.98247164 0 0.20
11 116 2.26055014 -0.1047 3.26
12 116 -0.76336647 0 -0.27
13 118 -2.64549849 0 2.45
14 119 -0.09486427 0.0487 1.07
15 126 5.28177032 0 2.64
16 141.1 3.56050643 0 -0.88
17 150 1.06877904 0.1877 1.33
18 159 -9.43079077 0 3.70
19 175 2.59838972 0.1136 0.99
20 168 14.747004 0 -1.77
21 192 -0.97143366 0 -1.19
22 229 -2.48347167 0.1684 4.58
23 265 13.9334144 0 6.37
24 372 -4.23744102 0.1906 1.13
25 337 -32.1779883 0.2167 6.02
26 360 19.5851536 0 4.73
Current value
([V.sub.o])
Step.2: The one month changes in the three market factors
([R.sub.m]), ([R.sub.f]), and (OP) are shown in the last three columns.
Step 3: The Case A manager simulates next 24 values for each of
these factors by adding this set of 24 monthly changes to current
values of [R.sub.m] (1.9014452%), [R.sub.f] (1.35%), and OP
($/barrel =62.00, at the time of case development). The computed
valued values are provided below:
N [Rm.sub.i] [R.sub.fi] OP
1 9.1048959 1.2373 57.83
2 9.2232101 1.35 62.72
3 -24.534081 1.35 63.15
4 23.906886 1.3724 63.20
5 -7.0878583 1.35 63.00
6 10.386827 1.35 59.86
7 -8.1806986 1.3463 63.90
8 4.8839168 1.35 62.20
9 4.1619953 1.2453 65.26
10 1.1380787 1.35 61.73
11 -0.7440533 1.35 64.45
12 1.8065809 1.3987 63.07
13 7.1832155 1.35 64.64
14 5.4619516 1.35 61.12
15 2.9702242 1.5377 63.33
16 -7.5293456 1.35 65.70
17 4.4998349 1.4636 62.99
18 16.648449 1.35 60.23
19 0.9300115 1.35 60.81
20 -0.5820265 1.5184 66.58
21 15.83486 1.35 68.37
22 -2.3359958 1.5406 63.13
23 -30.276543 1.5667 68.02
24 21.486599 1.35 66.73
Step 4: Using the pricing model discussed in equation 1, the Case A
manager computes the value of Asset A as below (He computes [alpha].
[[beta].sub.1] and [[beta].sub.2] (by using Tools- ADD ON in Excel) and
then plugs the derived simulated values in the model with error terms to
compute the value of asset A.
[R.sub.i] = [alpha] + [[beta].sub.1] ([R.sub.m] - [R.sub.f]) +
[[beta].sub.2] (OP) + [epsilon]
-3.008318633
-4.178098731
-13.80957138
6.78515983
3.788531832
6.833647769
0.507746769
-5.925605017
-3.14550101
-5.847832052
-3.623359061
-3.160774543
1.837565355
4.387519008
-3.373307375
-4.377091898
5.04688348
-10.65757685
-1.223153507
4.497342511
[R.sub.i] = [alpha] [[beta].sub.1] ([R.sub.m] - [R.sub.f]) +
[[beta].sub.2] (OP) + [epsilon]
2.041912686
17.39826236
-29.79971817
5.628892322
Step 5: The manager then sorts the new changes in the asset values
from the largest negative change to the largest positive change as
below:
-29.799718
-13.809571
-10.657577
-5.925605
-5.8478321
-4.3770919
-4.1780987
-3.6233591
-3.3733074
-3.1607745
-3.145501
-3.0083186
-1.2231535
0.5077468
1.8375654
2.0419127
3.7885318
4.387519
4.4973425
5.0468835
5.6288923
6.7851598
6.8336478
17.398262
The last table and the next graph suggest that, on average, a 95
percent confidence level VAR for asset A is 29.799% decline in value.
[ILLUSTRATION OMITTED]
A.3.3 Sensitivity analysis:
Case A manger pe[R.sub.f]o[R.sub.m]s sensitivity analysis on the
assets values to assess the impact of no[R.sub.m]al, or routine, changes
in potential events/risks. They are used with:
* Operational measures such as the effect of changes in sales
volume on call center response time or number of manufacturing defects
* Equity securities using $. For equities $ represents the ratio of
the movements of an individual stock relative to the movements of an
overall market portfolio or a proxy such as EMNEX (Emirates national
exchange index) or NBAD index in case of UAE
A.3.4 Scenario analysis:
As an alternative qualitative risk tool, Case A risk manager
assesses the effect of one or more risks/events on the company's
operational objectives in the business plan, since the Case A management
seeks to link growth, risk, and return as shown in the following
exhibit:
Impact of various scenarios across multiple business units on total
shareholder value added (SVA) (in Million $)
Increase
(Decrease)
Unit Potential business scenarios in SVA
Business Unit 1 * Risk rating deteriorates by 20% $ (150)
* Consumer loans ? by 10% (120)
* Increased competition--one new market (100)
entrant
* Revenue in the banking group ? by 15% (180)
* Loss of a top-tier customer (50)
Business Unit 2 * Increased competition--one new market $ (50)
entrant
* Revenue ? by 10% due to poor customer (30)
service
* Loss of a top-tier customer (20)
* Unsuccessful new product launch (20)
* One new pending "large" lawsuit ... (20)
Business Unit 3 * Increased competition--one new market $ (40)
entrant
* Revenue ? by 10% due to poor customer (30)
service
* Loss of a top-tier customer ... (20)
A.3.5 Stress testing:
Further, Case A risk manager uses the technique of stress testing
as an alternative qualitative risk assessment tool to assess the impact
of events/risks having extreme impact. Stress testing differs from
scenario analysis in that it focuses on the direct impact of a change in
only one event or activity under extreme circumstances, as opposed to
focusing on changes on a more normal scale as in scenarios analysis.
These tests include for example, estimation of a rapid and large:
* 8 product manufacturing defects
* Movement in FEX rate
* 8 in interest rates on the value of an asset in a portfolio
* 8 in energy prices affecting the cost to run a manufacturing
plant.
While the foregoing discussion focused on the quantitative
techniques for risk assessment the qualitative aspects of risks are
portrayed to the top management as below.
A.4 Portraying Risk Assessments
Portraying risks in a clear and concise manner is important
especially with qualitative assessment because risks are not summarized
in one number or range as with Quantitative techniques.
A.4.1 Risk Maps:
A risk map is a graphic representation of likelihood and impact of
one or more risks. Risks are depicted in a way that highlights which
risks are more significant (higher likelihood and/or impact) and which
are less significant (lower likelihood and/or impact). The following
exhibit illustrates a heat map (a type of risk map); presenting risk
levels (likelihood and impact). Some risk analysts use color coding with
red indicating high risk, yellow indicating moderate risk and green
indicating low risk. This coding highlights those risks that are most
likely to have a significant effect on objectives. The risk objective of
Case A is to maintain a quality workforce.
* Likelihood is considered in terms of: % turnover within a
specified period, and
* Impact in terms of costs of operational inefficiency and cost to
replace, retrain, and develop employees.
Risk Topic Risk Description Likelihood Impact
A Compensation Employee dissatisfaction LOW MODERATE
with compensation leads to
higher staff turnover.
B Recognition Employees feel LOW LOW
unrecognized, resulting in
reduced focus on tasks and
higher error rates.
C Downsizing Employees are over/ MODERATE MODERATE
utilized and work
considerable overtime.
Staff leaves to pursue
work in other
organizations that offer a
better work/life balance.
D Demographics Changing demographic HIGH MODERATE
composition of the
employee group causes
increased turnover.
E Employment Increased demand for LOW MODERATE
market company employees by
recruiting firms.
F Performance Employee dissatisfaction LOW MODERATE
evaluation with performance appraisal
measures and processes
cause low morale, staff to
focus on non-critical
objectives, and loss of
staff to companies
perceived to be employers
of choice.
G Communication Ineffective communication LOW MODERATE
between employees and
management results in
mixed messages being heard
and in the pursuit of
alternative employment.
H Workplace Unsafe workplace causes LOW HIGH
safety employee injury and
resignations by injured
staff and by others
concerned over safety
issues.
I Career Employees perceive limited LOW MODERATE
Development control over their career
development, causing
higher turnover.
J Work Employee dissatisfaction LOW MODERATE
diversity with job variety results
in rote performance,
higher errors in key
processes, and pursuit of
more interesting job
opportunities outside the
company.
Case A flags risks in: high risk cells as high likelihood and cost
and low control ratings, moderate risk cells identified as requiring
active management in the form of a new initiative or risk treatment
plan, while low risk cells (moderate likelihood and cost, high control
rating) are flagged for regular monitoring of control effectiveness.
Risks in low cells are deemed to require only the periodic review of
inherent risks since they are of low likelihood and cost with low
control rating. Finally risks in moderate cells (low likelihood and
cost, high control rating) are identified as opportunities to
re-allocate control resources to other areas exhibiting higher risks.
A.5 Risk Response
Having assessed relevant risks, management determines how it will
respond. Responses include risk avoidance, reduction, sharing, and
acceptance. Following are some examples available at the Case A:
Risk Avoidance Risk Sharing
* Disposing of a business unit, * Insuring significant unexpected
product line, geographical loss
segment * Entering in to JV/Partnership
* Deciding not to engage in new * Entering into syndication
initiatives/activities that agreements
would give rise to the risks * Hedging risks through capital
market instruments
* Outsourcing business processes
* Sharing risks through
contractual agreements with
customers, vendors, or other
business partners
Risk Reduction Risk Acceptance
* Diversifying product offerings * "Self-insuring" against loss
* Establishing operational limits * Accepting risk as already
* Establishing effective business conforming to risk tolerances.
processes
* Enhancing management
involvement in decision making,
monitoring
* Rebalancing portfolio of assets
to reduce exposure to certain
types of losses
* Reallocating capital among
operating units
SECTION B
Conclusion of Risk Management at Case A
When the risk measurement process is complete, a risk management
plan is developed to document responsibilities associated with
implementing and monitoring actions identified as required through the
four stages of risk assessment. Based on this plan, Case A develops risk
treatment plans for all risks in the aforementioned red cells, covering
the allocation of responsibilities and resources, the establishment of
milestones and deadlines, and reporting frameworks. Risk treatment plans
are then embedded in the business plans of all applicable sections of
Case-A organization. In this way, risk management is not the
responsibility of senior management alone, but more appropriately the
responsibility of all employees
To maintain control effectiveness, risk treatment plans are
reviewed on a periodic basis to ensure that the agreed risk control
activities are being conducted. To ensure the continued relevancy of
this system, residual risks are re-evaluated on a periodic basis to
capture the impact of Case-A's activities to mitigate identified
risks. With deeply implemented performance management systems, actions,
performance measurement, reporting, and monitoring occur at all levels
of Case-A. This risk management system resembles a cascaded performance
management system, where responsibility for its effective usage is
allocated from senior management down to the front lines. For Case-A,
risk management is an organization wide undertaking i.e., ERM.
The ERM processes discussed so far for the identified risks in
Case-A is summarized in Figure 3 in the strategic management context.
At the completion of its risk response actions, Case-A management
may have a view of individual risks and responses and their alignment
with associated tolerances as illustrated in the following exhibit
(which is an extension of the exhibit presented on page 3).
SECTION C
Implications for risk and performance managers from this Paper
The review of risk management methodologies discussed for Case-A
company in this paper is designed primarily to help managers identify
the actions required to maximize the likelihood of achieving
organizational objectives. Although many commonalities exist between
endogenous risk management and performance management viz., tracking
progress against mission, objectives, strategies, regular reviews by
management and measurement of activity, significant differentiators are
also apparent from the literature review as well as from the above case
study, the most obvious of these being the difference in emphasis. While
strategic control uses performance management frameworks such as the
Balanced Scorecard to identify and monitor what "should
happen", risk management frameworks initially focus on the
identification of "what should not happen". Traditional
performance management approaches might therefore be characterized as
"optimistic", and risk management approaches as
"pessimistic".
This case study has demonstrated that, the recommendations of COSO
framework and Turnbull report for integrating the management of risk and
organizational performance in general as part of a coherent approach to
corporate governance are both prudent and practical. Because, an
organization's exposure to risk and its willingness to accept risk
is ultimately decided by the strategic choices it makes and its risk
tolerance limits as indicated in the case study in the last rows in
Figure 1 and green cell in Figure 3, the implementation of ERM
disciplines risk management practices at all levels of the company..
Explanation of acronyms used in this case study
Acronyms used
in the paper Expansion
ERM Enterprise Risk Management in an entity
IMA Institute of Management Accountants--located at USA
which conducts certification program like Certified
Management Accountants (CMA)
COSO The Committee of Sponsoring Organizations of the
Treadway Commission which has representatives from
the organizations:
American Accounting Association (AAA)
American Institute of Certified Public Accountants
(AICPA)
Financial Executives International (FEI)
Institute of Management Accountants (IMA)
The Institute of Internal Auditors (IIA)
BU Business Unit
PM Profit Margin
CAPM Capital Asset Pricing Model (used for valuing
financial securities)
NBAD National Bank of Abu Dhabi market index (like S&P
500 index)
EMNEX Emirates National Exchange market index (alternative
market index like Dow Jones)
EMI Emirates Market Index (like NBAD and EMNEX indices)
MTBF Mean time between failure--a reliability measure
REFERENCES
Bernstein, Peter L (1996a). Against the Gods: The Remarkable Story
of Risk, New York: John Wiley & sons, Inc., p. xxii.
Bernstein, Peter L (1996b). "The New Religion of Risk
Management", Harvard Business Review, Vol. 74, Issue 2, pp 47-52.
Carey, Anthony and Nigel Turnbull (2000): "The Boardroom
Imperative on Internal control", Financial Times, Mastering Risk
Supplement, 25 April 2000.
COSO (2004)--The Committee of Sponsoring Organizations of the
Treadway Commission, AICPA, New Jersey, USA. Enterprise Risk Management
- Integrated Framework, September 2004,
Delamontagne, Robert P. (2003), "Reducing risk through
training", Industrial Safety & Hygiene News, Vol. 37, Issue 2,
pp 1-2.
Hoffman, Douglas G. (2002). Managing Operational Risk: 20
firm]-wide Best Practice Strategies, New York: John Wiley and sons, Inc.
King, Dennis and Walter G. Beevor (1978). "Long-Range
thinking", Personnel Journal, vol. 57, Issue 10, p 542.
Lewis, Michael. A. (2003). "Cause, consequence, and control:
Towards a theoretical and practical model of operational risk".
Journal of Operations Management, vol.21, Issue 2, pp. 205-224.
Minzberg, Henry, (1994), "That's not
'turbulence' Chicken Little, it's really
opportunity", Planning Review, November 1994, Vol. 22, Issue 6.
Pomeranz, Felix and James Gale (1981), "Auditing the Strategic
Plan", Journal of Auditing, Accounting and Finance, vol. 4, Issue
2, p. 162.
Rao Ananth (2005) "Analysis of UAE Bank Stocks", Economic
Horizon, Quarterly Specialized Refereed Journal of the Federation of UAE
Chambers of Commerce and Industry, Vo. 21, No.82, AH 1420-2000(2).
Stevenson, Howard H. and Mihnea C. Moldoveanu (1995). "The
Power of Predictability", Harvard Business Review, Vol. 73, Issue
4, pp. 140-144.
The Basel Committee on Banking Supervision (2001). Consultative
Document: operational Risk, Basel, Bank for International Settlements,
p.2.
Wack, Pierre (1985). "Scenarios-Unchartered Waters
Ahead", Harvard Business Review, Vol. 63, Issue 5, pp-72-90.
Witzel, Morgen (2002). "Risk prevention is the best
cure", Financial Times, Understanding Risk Management Supplement,
November 20, 2002.
Ananth Rao, University of Dubai
Figure 2 Risk Assessment in Case-A
Inherent risk assessment
Risks Likelihood Impact
Less number of 20% (Low) 30% ? in hiring
qualified candidates BOL224\f"Wingdi
available ngs"\s10 30
unfilled positions
Unacceptable 30% 20% ? in hiring
variability in our (Moderate) due to poor
hiring process-- candidate
(Initial filters for screening a 20
screening candidates unfilled positions
too stringent)
Residual risk assessment
Risk Response Likelihood Impact
[up arrow] 10% (Low) 5% ? in hiring--
Compen-sation to 5 unfulfilled
the staff positions
Contract in place
with a third party
hiring agency to
source candidates
[up arrow] 10% (Low) 5% ? in hiring--
Compen-sation to 5 unfulfilled
the staff positions
Review hiring
process every 2
years
Figure 3 Linking Objectives, Events, Risk assessment and Risk
response at Case-A
Operational objective Hire 100 new qualified staff across
all business units to meet customer
demand without overstaffing
Objective unit of Number of new qualified staff hired
measure
Tolerance 90 to 120 new qualified staff hired
Risks Inherent risk assessment
Likelihood Impact
Less number of qualified 20% (Low) 30% ? in hiring
candidates available BOL224\f"Wingding
s"\s10 30 unfilled
positions
Unacceptable variability 30% 20% ? in hiring due
in our hiring process-- (Moderate) to poor candidate
(Initial filters for screening a 20
screening candidates too unfilled positions
stringent)
Risk Response Residual risk assessment
Likelihood Impact
[up arrow] Compensation 10% (Low) 5% ? in hiring--5
to the staff unfulfilled
positions
Contract in place with a
third party hiring agency
to source candidates
[up arrow] Compensation 10% (Low) 5% ? in hiring--5
to the staff unfulfilled
positions
Review hiring process
every 2 years
Tolerance Total impact of Risk responses of
10 unfulfilled positions is within
company's risk tolerance
(Moderate risk)
