Need 600+ words with no plagiarism and 2+ schoarly references in APA7 format with citations.
After reading this week’s article, and any other relevant research you locate, please discuss the following in your main post:.
- Which enterprise risk management case study is most interesting to you and why?
- Do you think that ERM is necessary in the contemporary organization and why?
Please make your initial post and two response posts substantive. A substantive post will do at least TWO of the following:
- Ask an interesting, thoughtful question pertaining to the topic
- Provide extensive additional information on the topic
- Explain, define, or analyze the topic in detail
- Share an applicable personal experience
- Provide an outside source that applies to the topic, along with additional information about the topic or the source (please cite properly in APA 7)
- Make an argument concerning the topic.
At least one scholarly source should be used in the initial discussion thread. Use proper citations and references in your post.
Integration of ERM
with Strategy
Case Study Analysis – April 2016
Prepared by: Ha Do, Maria Railwaywalla, Jeremiah Thayer
Graduate Students, Poole College of Management, NCSU
Table of Contents
I. Introduction …………………………………………………………………………………………… 2
II. Case Study: Mitchell Industries ……………………………………………………………….. 3
III. Case Study: Eli Lilly ……………………………………………………………………………….. 9
IV. Case Study: Daisy Company …………………………………………………………………… 15
V. Conclusion …………………………………………………………………………………………….. 21
VI. Appendix ………………………………………………………………………………………………. 22
A1: Mitchell Industries: Risk Assessment Template
A2: Mitchell Industries: Template Assessing Risk in Relation to Strategy
A3: Eli Lilly: Risk Assessment Template
A4: Eli Lilly: Risk Ranking Matrix
A5: Daisy Company: Risk Template
A6: Daisy Company: Rating Scale
VII. About the Authors …………………………………………………………………………………. 34
INTEGRATION OF ERM WITH STRATEGY – 2
Introduction
One of the greatest sources of risk for today’s companies arises from the context of its strategic
plan. While a company’s strategy drives its value creation, it also entails risk-taking; when
strategies change or new initiatives are implemented, new risks may be introduced or existing
risks could change. The greater the degree of integration between strategy and risk management,
the more likely it is that a company will be able to successfully implement its strategy.
Enterprise Risk Management (ERM) is an emerging process that can serve many purposes: as a
tool for risk management, strategic planning, and identification of emerging opportunities and
potential competitive advantages. The purpose of this case study is to provide a description of the
processes used by three different companies in different industries to illustrate the ways these
companies have integrated ERM in the context of their strategy.
These case studies are based on real life examples of how companies have attempted to better
integrate their ERM process within their strategic planning process. The three cases reveal the
variety of methods that can be used based on a company’s strategic objectives, business model,
culture, and maturity in ERM implementation. This report also highlights key takeaways as
points of comparison when assessing the level of integration between ERM and the strategic
planning and implementation process.
Readers should keep the following in mind:
● ERM personnel can use this document to assess their company’s level of integration and
discuss how their current ERM process can be improved and be more closely aligned with
the strategic planning process.
● The methods of integrating ERM with strategy will vary based on the company. Just as ERM
requires customization to suit a company’s unique objectives, culture, and business model,
the integration of risk management and strategic planning also requires a company to
consider its objectives and culture before deciding the best way to align the two processes.
Increasing complexity due to industry changes, globalization, and shifts in technology and
business cycles can produce more risks related to strategy than ever before. By establishing a
close link between a company’s strategic planning and risk management processes, management
can help ensure that new strategic initiatives are connected to appropriate risk mitigation
strategies, that changes in the company’s strategic direction are accompanied by timely
assessment of new or emerging risks, and that the company is better prepared to identify risk-
related competitive advantages.
INTEGRATION OF ERM WITH STRATEGY – 3
Case Study: Mitchell Industries
Background of the Organization
Mitchell Industries is a global aerospace, defense and information technology company. They
provide a broad range of management, engineering, technical, scientific, logistics and
information services. The company was founded in 1985 and has grown organically and through
a number of acquisitions. Headquartered in Chicago, Illinois and incorporated in Delaware, the
company conducts most of its business with the U.S. Government, principally the Department of
Defense (DoD) and intelligence community. The company has 120 locations worldwide,
including 72 international offices, approximately 24,000 employees and customers in 150
countries.
Overview of ERM
Mitchell Industries views risk management as critical to its success. Risk management is
embedded in many business processes such as executive planning, program / contract
management, research and development, etc. However, following the financial crisis, there was
an increased focus on risk oversight practices. Credit rating agencies, such as Standard and
Poor’s, began assessing enterprise risk management processes as part of their corporate credit
ratings analysis, and there were signs that new requirements would be placed on Boards of
Directors regarding their risk oversight responsibilities. During this same time frame, the
company appointed a new board member to chair the Audit Committee who placed an increased
focus on the company’s risk management practices. Leadership of the organization also began to
see the need for a more formal enterprise wide process for managing risk. All of these events led
to the implementation of a formal structured ERM process in 2009.
Initially, Mitchell Industries maintained independent ERM and strategy processes that occurred
in parallel. As leaders recognized the value of being better informed of and prepared for risk
events, steps were taken to align and integrate ERM with the strategic planning process. There
are now several points of integration between the two processes to ensure they are in sync and
reflect the priorities of the organization as a whole.
Integration of ERM with Strategy
The next few paragraphs highlight the details of the ERM cycle, strategy planning process and
their integration.
ERM Cycle
The company has an annual ERM cycle which is facilitated by the ERM team. The ERM team
consists of three members, the Director and two analysts. They are the link between the members
of the organization responsible for risk management and the enterprise risk management process.
The annual process begins with the identification and assessment of risks in the January /
February time frame. The ERM team administers a survey to Vice Presidents (VPs) and selected
INTEGRATION OF ERM WITH STRATEGY – 4
Directors (direct reports to VPs). At the same time, interviews are conducted with the CEO and
the CEO’s direct reports (senior executives).
The ERM team analyzes the information gathered in the surveys and interviews to prioritize the
risks. The prioritized risks are typically presented using a heat map. For each of the
organization’s top risks (typically 8-10 risks), an owner is identified. The risk owners, also
referred to as risk champions, are responsible for assigning a risk manager, approving mitigation
(action) plans, resourcing the plan, and briefing the plan to the Board. The risk owners are
assisted by risk managers who are responsible for the risk action plan. The ERM team works
with the risk managers to understand survey findings and develop mitigation plans. The risk
managers are responsible for managing the risk and tracking the progress of the mitigation plan.
They own the risk and report progress of the mitigation plans to the ERM team on a quarterly
basis. The ERM team summarizes the risks, the risk mitigation plan and the progress in
implementing the plans on a dashboard that is reported to executive leadership and the Board.
During the third quarter, the ERM team updates the earlier identified risks by conducting a
second round of interviews with the CEO and senior executives. They factor in risks that arise
due to external factors such as regulatory risks, geo-political risks, economic risks, technological
risks, etc. Any significant changes are incorporated into the heat map and used to refine the risk
mitigation plans.
The company has several business units and the ERM team shares business unit specific risks
(heat maps) with the executive leadership team of each business unit during the March timeframe.
During the second quarter, the business units consider these risks, determine the risks critical to
their respective business unit and communicate their action/ mitigation plans back to the
executive team during the July time frame as part of their strategic plan.
Strategic Planning Process
Mitchell Industries has an annual strategic planning cycle. The process starts in December and is
both a top-down and bottom-up approach. The CEO owns the overall strategy. That strategy is
primarily developed by the Corporate Strategy office, working in conjunction with business unit
strategists. Once the overall strategy is developed, the plan is communicated by the CEO to the
VPs at the annual Senior Leadership Meeting in the January/February timeframe and to the
Board in February.
The business units develop their respective strategies in light of their portfolio of products and
within the framework of the corporate strategy and guidance provided by the Corporate Strategy
office. This process begins in February and culminates in July with the Strategic Planning
Conference where the business unit leaders present their strategy for the upcoming year to the
CEO. Each business unit is also responsible for annually developing a three-year business plan
that reflects the implementation of the strategy. This plan is updated concurrently with the
strategy and is finalized in November.
INTEGRATION OF ERM WITH STRATEGY – 5
Mitchell Industries ERM & Strategy Implementation Timeline
Con tinuous review of progress of mitigation plans
Corporate
strategy
kick-off
CEO communicates strategy
to VPs &
Corporate Strategy provides
planning guidance to
Business Units
Strategy
ERM
Business Units develop strategic plans and factor in risks
communicated by ERM team in formulation of plans
Interview results fed in
to Dec corporate
strategy kickoff
Business Units
communicate
strategic plans to
CEO
Business Units develop and
present 3 year business plan
ERM team
analyzes
survey
results and
prioritizes
risks
ERM team conducts
enterprise-wide survey
of VPs and interviews
executive leadership
team (CEO, Business unit
leaders)
ERM team
communicates
survey results
to CEO and
Business Unit
leaders
Communication
of enterprise risks
to the Board
Communication of risk
status to executive
leadership and the board
Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sep. Oct. Nov. Dec.
ERM team conducts
follow-up interviews
with executive team
Integrating the Two Processes
The strategic planning process and ERM process are initiated in two different organizations and
start at slightly different times. Strategic planning starts with the CEO and strategy leads. ERM
starts with surveying the VPs and their direct reports. The two processes operate in parallel, with
both following an annual cycle and combined top-down / bottoms-up approach. There are several
points where information is shared between the two. This is how the company integrates the two
processes to ensure ERM and strategy are in sync and have an enterprise wide impact. The
following are the specific points of integration:
● Macro Level – The first point of integration is the third quarter risk update. This updated
information, which includes external risk developments that may impact the organization, is
communicated to the corporate strategy team who then factors the information into the
corporate-level strategy.
● Micro Level – The second stage of integration is at the business unit level. Each business
unit receives the broad strategic objectives post the CEO and VPs meeting (January/
February time frame). The business units also receive specific information about their top
risks from the ERM team (March time frame). The business units factor this information into
the formulation of their strategic plans.
● Third Level – The final stage of integration occurs when Functions develop strategies/
action plans to support Business Unit plans and address specific risks.
INTEGRATION OF ERM WITH STRATEGY – 6
Mitchell Industries ERM & Strategy Integration
Risk owners identify a risk
manager, approve
mitigation plans and
provide resources for plans
BU leaders are
responsible for preparing
mitigation plans for their
respective BUs
ERM team surveys the VPs and
directors to identify broad
level risks
ERM team interviews the CEO &
senior executives for additional risk
identification and assessment
ERM team:
Gathers information about external risks to the
organization
Consolidates the survey/ interview results
Communicates top risks to risk owners and
business units through heat maps
Works with risk managers to develop risk
mitigation plans
Conducts second round of interviews and
communicates to senior executive team
Risk managers
develop and execute risk
mitigation plans and report
progress quarterly
Quarterly
reporting
CEO communicates strategy to
all VPs at Senior Leadership
Meeting
Business Units:
Receive broad strategic objectives
post CEO/ VP meeting
Receive guidance from Corporate
strategy office
Communicate respective strategic
plan to CEO
Develop 3 year business plans
ERM Process Strategy Planning Process
Macro level integration
ERM team communicates the results of
the interviews/ surveys to the corporate
strategy team who incorporates the
same in strategic planning
Micro level integration
BU’s develop individual strategic
plans within the corporate guidance
framework and include BU specific
risks
Corporate strategy office
develops corporate strategy
plan on behalf of CEO
Planning
guidance to
BUs
Functional units develop
strategies/ action plans to
support BU plans and
address specific risks
Third level integration
Functional unit support to
BUs
Issues in Integration
The initial integration of the two processes was not simple and smooth. The company
encountered some challenges, but ultimately was able to adapt the process. The key issues faced
by the company and the steps that were taken to remedy those issues are as follows:
● Non-value Add Perception
The strategy and business unit leaders believed they had a complete understanding of the
internal and external environment. Therefore, they did not see the value offered by the ERM
team and the need for a separate risk identification and assessment process.
To deal with this, the ERM team worked to eliminate duplication and redundancy and show
the business unit leaders the value added by taking a comprehensive, enterprise wide
approach to risk. For example, the ERM team accumulated risk information from across the
enterprise and provided executive leaders with an enterprise view of risks that they otherwise
INTEGRATION OF ERM WITH STRATEGY – 7
would not get. In addition, they provided business unit leaders with an opportunity to shape
the process for gathering risk information so that the process would be more meaningful for
the business units. Over time, this helped the strategic and business unit leaders be more
accepting of the ERM process and team.
● Leadership Change
Another challenge faced by the organization was the frequent turnover in the top corporate
strategist position. This led to frequent adjustments in the planning process for the
organization. For example, at one time, there was heavy reliance on external sources for risk
information, however, with a change in personnel, the strategic planning function began
relying more on the internal ERM team for risk information. With that shift, the ERM team
was able to be more involved in the strategic planning process.
Through these changes, the ERM team recognized the need to
educate and advocate the value the ERM process can bring. They
now provide a basic introduction and overview of ERM to new
leaders. The education process is not always formal; ERM
professionals also look for opportunities to network within the
organization to make more people aware of the work the ERM
team performs and the resources they have to offer.
Future Steps
Like the ERM process overall, the integration of ERM and strategy is an ongoing effort which
continues to make incremental improvements each year. The company believes the integration is
working well especially since the current leadership is open to further opportunities to fine tune
the integration between the two.
Even with the advances the company has made in their ERM process, the company feels that
parts of the organization are still operating in silos and that improvements could be made in the
linkage of risk mitigation processes across organizational boundaries. The company does not
have a system to align strategic initiatives and risks at the business unit level with initiatives and
risks at the corporate level. This could potentially result in disconnects between the two. The
company is now piloting a new software tool that has the potential to link corporate level and
business unit level strategies and risks.
Another area of improvement recognized by the company is the resource allocation process as it
relates to risk mitigation. While risks are being considered in the strategic planning process, the
need for resources to mitigate high priority risks is not being considered alongside the resources
needed to implement strategic initiatives in each function area. Each functional team has their
initiatives that support the corporate strategy, but those initiatives are not explicitly linked to the
potential risks of achieving the corporate strategy. The ERM team is working with strategy and
functional teams to create better alignment of objectives, strategies and risks.
INTEGRATION OF ERM WITH STRATEGY – 8
The company has crossed the initial hurdle of identifying
and spreading awareness about the need for and benefits of
integrating ERM and strategy. In other words, they have
successfully answered the question “why is integration
necessary”. However, they are now in the stage of
answering the question “how to effectively implement the
integration” and “how to overcome the challenges of
integration”. Successfully dealing with these questions will
enable Mitchell Industries to move onto the advanced stage
of integration where corporate level and business unit level
strategies and risks are developed and managed in an
integrated, enterprise-wide process.
INTEGRATION OF ERM WITH STRATEGY – 9
Case Study: Eli Lilly
Background of the Organization
Headquartered in Indianapolis Indiana, Eli Lilly and Company focuses on the research,
development, manufacturing, sale and distribution of human pharmaceutical and animal health
products. The company sells products in approximately 120 countries worldwide. Eli Lilly has a
market capitalization of approximately $90 billion, revenue in 2014 of $20 billion, and
approximately 41,300 employees worldwide.
Overview of ERM
While the company’s ERM program began formally in 2005, the integration of ERM with the
company’s strategic planning process started in 2007. In order to promote the importance of a
strong connection and assess ways to improve the link between ERM and the company’s
strategic planning process, the Sr. Director of ERM initiated a series of sessions amongst leaders
from the Corporate Strategy, Ethics and Compliance (E&C), and Legal functions. It was
especially important that key strategic risks be included in the ERM process, and that leaders
within Eli Lilly’s strategic functions be able to provide input on what risks were ultimately
elevated to an enterprise level.
Eli Lilly and Company uses a highly structured approach to implement its ERM process and
accomplish integration of ERM and strategy. The board-level components consist of the Audit
Committee and the Public Policy and Compliance Committee (PPCC), which provide oversight
and accountability at the board level.
The company chose to align ERM with its E&C function to benefit
from two key attributes: risk identification and independence. The
E&C function at Eli Lilly conducts risk identification and mitigation
as part of its daily operations; keeping ERM aligned with Compliance
would provide for greater efficiency. The Ethics and Compliance
department reports to the CEO with a dotted line of reporting to the
board, so aligning ERM with the E&C function allowed ERM to
maintain this essential, independent line of reporting as well.
The next element is the Compliance and Enterprise Risk Management Committee (CERMC),
which consists of senior management, including the Presidents of each of the company’s
business units and functions (e.g. LRL, Manufacturing, Quality and Global Services, etc.), the
President of Lilly’s largest affiliate, the Chief Medical Officer, the Chief Information Officer,
and the General Auditor.
Another critical component is the ERM Core Team, which consists of a group of six selected
members representing various areas of the business, including two executives in charge of
strategy (including the leader of Corporate Strategy), the board secretary, who is an attorney in
INTEGRATION OF ERM WITH STRATEGY – 10
the Lilly Law Division, a CERMC member (Chief Ethics and Compliance Officer), and the two
individuals in charge of the company’s ERM process.
Eli Lilly ERM Structure
Having a group such as the ERM Core Team provides several benefits. A multi-disciplinary
team provides an enterprise-wide perspective on both risk identification as well as prioritization.
Including strategic personnel provides a uniquely strategic point of view, and including a board
level perspective can keep the ERM team informed of board-level priorities or concerns and
more closely link ERM risks to the company’s current and future strategic initiatives. The mix of
personnel on the Core Team allows the group to evaluate operational risks through a long-term
strategic lens to identify entity-level risks and opportunities.
Each January and February, the ERM Core Team conducts workshops involving 40-50 leaders
across the company’s geographic regions and business units. The Core Team then uses the
information gathered from the workshops as well as its own internal discussions to put together a
report on entity level risks that is reviewed by the CERMC. The Core Team is able to pull
INTEGRATION OF ERM WITH STRATEGY – 11
together themes that cross business unit/functional area boundaries and use their respective
points of view to prioritize these themes into entity level risks based on a strategic, enterprise –
wide perspective. In this way, the ERM Core Team serves as a critical transition point from the
“silo” perspective of the individual business units to the more enterprise-wide view of executive
management and the board.
For example, after completing its annual ERM
workshop process and reviewing the results, if the
ERM Core Team discovered that several different
business units have identified a similar risk, the
ERM Core Team could upgrade the risk from a
business unit risk to an entity level risk in the
report to the CERMC. Upon review by the
CERMC, additional resources could be assigned,
including the creation of a task force/team to look
specifically at the enterprise level risk and craft a
mitigation plan to be implemented on a company-
wide basis. This is just one example of how Eli
Lilly’s process is designed to take what appears to
be a business unit risk and escalate it to an
enterprise level to be dealt with and mitigated before it negatively affects the company.
Directly supporting the ERM Core Team are the ERM Liaisons, which typically have operational
responsibilities at the business unit or functional level. The ERM Core Team works closely with
the ERM Liaisons to identify risk owners within each business unit or functional area, and the
ERM Liaisons in turn work with the identified risk owners to craft a mitigation plan for the risks
they have been assigned. This ensures that those most directly responsible for managing and
mitigating the identified risks maintain ownership of the risks.
In addition to the assignment of risk ownership, oversight and monitoring is conducted
throughout the process to ensure that the mitigation plans are put into action. Based on whether a
risk has been assigned a high (red), medium (yellow), or low (green) risk designation on the
company’s ERM heat map, oversight is assigned to the CERMC, ERM Core Team, or Business
Unit Liaisons respectively (see Appendix A3 and A4). For example, review and oversight by the
CERMC involves a risk owner providing an update to the members. The ERM Core Team meets
with ERM Liaisons to review documents that support execution of the various mitigation steps,
and Business Unit Liaisons conduct their own review of the documentation supporting execution
of the various mitigation steps.
Integration of ERM with Strategy
One of the first obstacles to integration faced by Eli Lilly was
getting those involved in the process to avoid mentally
separating ERM risks from other strategic processes. From the
INTEGRATION OF ERM WITH STRATEGY – 12
company’s point of view, integration should begin at the individual employee level, and this
required helping employees understand that ERM should not be separated from their other work.
One method the company used to overcome this obstacle was to ensure the timing of the
company’s ERM process coincided with the strategic planning process during the company’s
regular business cycle. When the strategic planning process begins in January and February,
business areas are responsible for establishing their portion of the strategic plan. Information
from this business unit level process is used as an input for annual ERM workshops, which
encourages employees to think about ERM at the same time they are already engaged in the
strategic planning process. This helps embed the ERM process at the strategic planning level and
increases the likelihood that strategic objectives directly inform the risk identification process.
Since the strategic planning process also involves scenario analysis activities, the company is
able to identify potential opportunities for competitive advantage arising from successfully
mitigated risks.
One of the keys to ensuring that personnel perceive ERM as more than just “another corporate
exercise” has been to focus on building relationships and educating employees on how the ERM
process has value for the company. This education has occurred by conducting CERMC and
board meetings as well as sessions with ERM Liaisons. Since the strategic planning process is
well-understood, and its importance widely accepted, linking ERM to the strategic planning
process from a corporate perspective helped forge the correct mindset.
The other key to integrating the process with strategy at the
employee level has been to create “local” ownership of the
process at the business unit level. This was accomplished by
establishing that the business leaders would ultimately be
responsible for the identified risks and their subsequent
management and mitigation. Additionally, making it clear that
the board of directors was keenly interested in knowing what the
risks were and how they were being managed created a powerful incentive that represented the
“tone at the top” and encouraged business unit leaders to make the process work.
After the CERMC conducts its review of the ERM Core Team’s report on entity-level risks, they
also review business unit strategic plans, which provides another level of strategy and ERM
INTEGRATION OF ERM WITH STRATEGY – 13
integration. The CERMC is able to view the strategic plans through the lens of the recently
reviewed enterprise-wide risks distilled from the work of the ERM Core Team and ERM
workshops. Having this dual outlook helps identify overlooked areas or risks that may have been
included in the risk portfolio but not addressed in the strategic plan.
The last component of the integration cycle happens at the end of the business plan process, after
the final funding decisions have been made as part of the company’s budgeting process. The
ERM Core Team and the CERMC meet again to discuss whether any funding changes resulting
from the budgeting process have affected the previously identified risks, and whether any
changes need to be reflected in the company’s risk profile. The ERM Core Team reviews and
provides input regarding the risks included in the company’s 10-K, which provides a final
critical communication link between risk, strategy, and the company’s stakeholders. This
provides a good summation point for the ERM process, and ensures one final point of review
that includes both ERM and strategic perspectives.
Future Steps
The integration of ERM and strategy is an ongoing process that
Eli Lilly seeks to improve each year. The company has
identified three broad areas where it intends to further improve
integration between ERM and the company’s strategic process.
The first area of focus includes improving its identification of
opportunities and not just the threats represented by risks
identified in the ERM process. Further integration of ERM and
strategy will allow risks to begin to inform new strategic
directions and initiatives that add value to the company. The
company plans to implement this change by specifically
discussing possible opportunities during the risk identification
workshop process each year. The discussion will seek to
identify risks that, if mitigated properly, may lead to a
competitive advantage in the industry or marketplace. Any
opportunities identified will then be passed along to those in
charge of business planning.
The second area of focus is to more systematically consider
key risk indicators, or what the company calls “signposts”.
Identifying “signposts” can enable the company to activate or
revise a mitigation plan in time to effectively address emerging
risks. While there are business units that are doing this currently, the goal is to ensure consistent
enterprise-wide adoption in a more formal and documented manner.
The last area of focus will be to more clearly identify risk interconnectedness. Viewing all risks
as being potentially linked in some way will improve both the identification of how one risk can
amplify others, as well as improve management of risks across affected business units. This will
INTEGRATION OF ERM WITH STRATEGY – 14
allow the company to be more efficient in managing risk, as well as assist in the identification of
new opportunities for improvement.
The company recognizes that integration is an ongoing process. Each of the critical elements of
integration have grown over time, and are the result of consistent leadership and support from the
top levels of the organization as well as a positive company culture surrounding risk
management and its integration with strategy.
INTEGRATION OF ERM WITH STRATEGY – 15
Case Study: Daisy Company
Background of the Organization
Daisy Company is a leading national specialty manufacturer of high-quality personal care
products. The company’s products are sold in more than 95 countries and territories around the
world. The company’s net sales for fiscal year 2015 was $12.4 billion and net income was $1.3
billion.
Overview of ERM
ERM is a process by which the company identifies critical risks affecting its ability to
successfully attain its goals and strategy. The company has adapted its ERM process over the
years by adopting a subcommittee ERM approach that deals with major risk areas such as
strategy, technology, human resources, and emerging markets.
Daisy Company Corporate Risk Management Committee
The company has a corporate-level Risk Management Committee (RMC) which meets four
times a year and is made up of ten members from the senior level of the corporation. The
committee includes Presidents of Brands, Head of HR, the CFO, the Treasurer, and the Head of
Operations. Below the RMC, there are nine other subcommittees: Strategic Business Risk, Legal,
Research and Development, Finance and Reporting, Supply Chain, Cyber Risks, IT, HR, and
Emerging Markets. Each of these subcommittees has approximately 8-12 members at VP or
above level. Each subcommittee is made up of multi-disciplinary members to identify the risks to
the company as a whole. Towards the end of the year, the CRO will present the top risks
identified and escalating risks to the CFO, CEO, Chairman, the Audit Committee and the Board
once a year.
INTEGRATION OF ERM WITH STRATEGY – 16
INTEGRATION OF ERM WITH STRATEGY – 17
Daisy Company ERM Structure
The risk identification process begins with a questionnaire that goes to all subcommittee
members as well as risk owners and senior management. The questionnaire, which is part of the
company’s integration of ERM and strategy, includes the following questions:
What are the risks that would affect the strategy?
What are the operational risks?
What risks are escalating that will require priority focus in the current year, and
What risks are emerging risks that could have significant impacts in the future?
The questionnaire includes a catalogue of existing risks for reference, and then the risks are
updated based upon the results of the questionnaire. A risk template is used to record the
identified risks with a description, the risk owner, and a scenario analysis that shows how the risk
affects the company. The template also includes 1-3 risk drivers. The inherent risk is then rated
by the risk owner and RMC based on 3 criteria: probability, impact, and velocity. Then the risk
score is derived from these criteria. As part of the mitigation strategy, a risk owner is assigned
responsibility for developing a mitigation plan. There are also risk mitigation tasks which are
high-level tasks done to implement the strategy for mitigating the risk. In the subcommittee, each
INTEGRATION OF ERM WITH STRATEGY – 18
task is rated to come to a composite score for the strategy and later, each owner of the committee
is responsible for having the template filled out. (See Appendix A5).
After completing the template, the risk owners and the committees then rate the risk on a residual
basis using the same 3 criteria (impact, probability, and velocity) to see how the mitigation
strategy has affected the level of risk. In addition, there is also a mitigation effort score using a 1-
5 scale (deficient, weak, basic, acceptable, and comprehensive) to rate the mitigation actions.
The risk owner is then given the chance to provide an explanation for the risk rating score. In
order to know whether the plan has been implemented in the future or whether the mitigation
plan has worked, the risk owner re-rates the risk after mitigation has been implemented using the
same 3 criteria (impact, probability, and velocity). From the risks and the ratings provided by the
risk owners, escalating risks are determined and reported to senior management [See
Appendix
A6]. For example, cyber risk is a high impact and high likelihood risk, and if it is graphed on the
heat map, it would be upper right. However, the heat map does not give people a chance to
communicate and talk about what they have done to mitigate the risk. Therefore, the residual
rating gives people the chance to show that they are doing all they can, and despite their efforts,
the risk is still remaining high, even with a mitigation plan in place.
Integration of ERM with Strategy
The CEO has driven the integration of ERM with strategy,
therefore, changes and improvements each year have been in the
direction towards integrating ERM with strategy. The support and
strong tone at the top play an important role in the success of the
integration process of ERM with strategy. The risk committees
are made up of 8 operational subcommittees and one strategic risk
subcommittee with risk owners who are typically members of the
operational subcommittees. The strategic risk subcommittee is chaired by the head of strategy
and made up of senior management members. Each subcommittee, except for the risk
subcommittee, has its own risk owner, and risk owners are interviewed individually by the CRO
of the risk subcommittee.
The other key area of integration is the development of lagging KRIs for risk and mitigation
purposes. As a business, from the strategic plan, the company develops lagging KRIs to track the
various mitigation tasks. The risk indicators help the company to enact the mitigation plan in
time to effectively address emerging risks. For example, a lagging KRI might track sales in a
particular place and use the existing KRI to address any changes in risk and mitigation tasks
when the company plans to earn revenue in a particular location.
Finally, the company includes the risk templates in the normal strategy process and includes a
process for identifying the main risks to the strategy and the plan for managing those risks. After
the mitigation plan has been implemented, the RMC will re-assess to see whether additional
actions would be needed and send the summary to the finance department to make sure funds are
available.
INTEGRATION OF ERM WITH STRATEGY – 19
The corporate risk management committee and the risk subcommittees meet quarterly. The
subcommittees usually meet early in the third quarter. The strategic planning process typically
starts near the end of the year, while the budgeting process takes place in the later part of the
third quarter. The strategy process and the risk management process are ongoing, simultaneous
processes. The company sees risk management and strategic planning as a continuous, ongoing
cycle, so they do not try to fit things into a prescribed time, but rather maintain flexibility to
respond to changing conditions.
Daisy Company ERM Timeline
INTEGRATION OF ERM WITH STRATEGY – 20
Future Steps
The ERM process has been improving each year, involving more personnel throughout the
organization. Since its inception 15 years ago, it has matured in tandem with the strategic
planning process. The company has a very strong tone at the top which has supported the
continuous improvement of these processes. One of the most significant improvements in the
process came about during the aftermath of the financial crisis, when the company put more
structure around risk mitigation plans and mitigation efforts.
The company is now in the process of introducing a new set of
reporting procedures which will take more of a dashboard
approach, in an effort to better communicate risk information.
However, the company still believes that informal
communications between the key players dealing with risks
and strategy are critical, and those discussions need to continue.
At the business level, at first, personnel may have felt that
considering risks represented additional work, and did not
really see the immediate benefit. However, the RMC has been
trying to be a facilitator to keep the load on others as light as
possible, so the workload effect was not so dramatic. For
example, the strategic business risk subcommittee used to
request that the other risk committees complete the risk
templates. Now, the strategic business risk committee gathers
the information themselves, completes the templates, and sends
it to the other risk committees for review. Now that the benefits
of the ERM process are widely recognized, and the process has become institutionalized,
changes in personnel have not had a disruptive effect. New personnel quickly adapt to the
process as a result of the strong culture of the company.
The company realized the importance of integration of ERM and strategy early from the
beginning of the ERM process, and considers integration to be an ongoing process. The ERM
process as well as the integration with strategy have grown over time as a result of consistent
support from the top levels of management and the company’s culture.
INTEGRATION OF ERM WITH STRATEGY – 21
Conclusion
There is no best “home” for ERM within a company’s operations; rather, ERM should be
well-positioned to have proper reporting channels and have an effective vantage point of the
company’s operations to avoid potential “blind spots.” This can vary depending on the nature
of the company’s operations, its culture, and organizational structure.
It is essential to remember how important the tone and expectation coming from top
leadership is in creating and maintaining a successful ERM process, especially one that is
functionally integrated with strategic planning.
Take time to build relationships through educating key business process leaders about the
benefits of the company’s ERM process. Business leaders will more fully engage in the
process when they see inherent value in the process.
No matter where a company is in its ERM process, communication and education of those
involved is critical to keeping ERM relevant, accepted, and supported.
Assign risk ownership and mitigation at the business unit level. Making business unit and
functional area level personnel responsible for owning risks and crafting mitigation plans
makes strategy and risk management coexist in the same space. This provides the “front-line”
integration of risk and strategy, since the individuals responsible for carrying out strategic
objectives are also involved in risk ownership and mitigation.
INTEGRATION OF ERM WITH STRATEGY – 22
Appendix
A1: Mitchell Industries: Risk Assessment Template
INTEGRATION OF ERM WITH STRATEGY – 23
A2: Mitchell Industries: Template Assessing Risk in Relation to Strategy
INTEGRATION OF ERM WITH STRATEGY – 24
A3: Eli Lilly: Risk Assessment Template
INTEGRATION OF ERM WITH STRATEGY – 25
A4: Eli Lilly: Risk Ranking Matrix
INTEGRATION OF ERM WITH STRATEGY – 26
A5: Daisy Company: Risk Template
Risk Number: Date Completed/Updated:
1. Risk Information
Risk Name:
Summary Risk Category:
Risk Short Description:
Risk Committee:
Inherent Risk Element
Ratings:
Velocity Impact Probability Risk Score
(Based on 5 point scale: VL-Very Low, L-Low, M-Medium, H-High, VH-Very High)
2. Risk Scenario
Key Risk Drivers:
X
X
X
INTEGRATION OF ERM WITH STRATEGY – 27
3. Current Risk Mitigation Strategies and Tasks
(Effectiveness Ratings are based upon a 1 to 5 scale, with 5 being “Highly Effective”, the Overall Effectiveness Rating represents an assessment of the overall Mitigation
Strategy based upon the Risk Mitigation Tasks that are in place and the assessment of their effectiveness.)
Task
No.
Mitigation Task
Name
Mitigation Task
Owner
Description Task Mitigation Effect Risk Element
Rating Affected
Metrics & Monitoring Effectiveness
Rating
T001
T002
T003
Strategy
No.
Mitigation Strategy
Name
Mitigation Owner Description Mitigation Effect Overall
Effectiveness
Rating
M001
INTEGRATION OF ERM WITH STRATEGY – 28
4. Current Residual Risk Ratings
Risk Element Ratings: Velocity Impact Probability
VIP Risk
Score
(Based on 5 point scale: VL-Very Low, L-Low, M-Medium, H-High, VH-Very High)
5. Current Mitigation Effort (to be completed by Risk Owner)
Mitigation Effort Rating: Comprehensive Acceptable Basic Weak Deficient
Mitigation Effort
Justification:
6. Current Mitigation In Action Example
Current Mitigation Effort rating is Basic or below, risk requires Future Risk Mitigation Strategies
INTEGRATION OF ERM WITH STRATEGY – 29
7. Future Risk Mitigation Strategies (If Current Mitigation Effort rating is Basic or below, risk requires Future Risk Mitigation
Strategies)
Mitigation
Strategy Name
Mitigation
Owner
Description Action Plan Implementation Date Required Resources Incremental
Cost
8. Future Residual Risk Ratings
Risk Element Ratings: Velocity Impact Probability
VIP Risk
Score
(Based on 5 point scale: VL-Very Low, L-Low, M-Medium, H-High, VH-Very High)
9. Future Mitigation Effort (to be completed by Risk Owner)
Mitigation Effort Rating: Comprehensive Acceptable Basic Weak Deficient
Mitigation Effort
Justification:
INTEGRATION OF ERM WITH STRATEGY – 30
10. Risk Outlook (to be completed by Risk Owner): Qualitative rating based on micro and macro factors, not directly
connected to risk mitigation
Risk Outlook: Increasing Decreasing Stable
Risk Outlook Justification:
11. Opportunities: Opportunities are favorable or advantageous circumstances arising from the identification and/or mitigation of
the risk that can promote the achievement of our strategic goals and objectives.
Opportunities Description:
INTEGRATION OF ERM WITH STRATEGY – 31
A6: Daisy Company: Rating Scale
INTEGRATION OF ERM WITH STRATEGY – 32
INTEGRATION OF ERM WITH STRATEGY – 33
INTEGRATION OF ERM WITH STRATEGY – 34
About the Authors
Ha Do is currently pursuing her Master of Accounting degree with a
concentration in Enterprise Risk Management at NC State University.
While obtaining her Bachelor of Science degree in Quantitative
Economics from Tufts University, she built a diverse experience in
financial services industry through her internships in banking and public
accounting firms. Upon graduation, she hopes to begin her career in audit
or risk advisory services.
Maria Railwaywalla is a second year Master of Business Administration
student at NC State’s Poole College of Management. Her concentration
areas are Supply Chain Management and Data Analytics. She has an
undergraduate Juris Doctor degree and over four years consulting
experience. Akin to working in multicultural environments, she gained
varied experience in manufacturing, services, and information technology
industries.
Jeremiah Thayer is a graduate student pursuing a Master of Accounting
degree with a concentration in Enterprise Risk Management from NC State
University. While obtaining a Bachelor of Science in Business
Administration with a concentration in Accounting from the University of
South Carolina, Aiken, he worked as part of a team at a small business
consulting firm, interacting with rural and agricultural businesses to create
feasibility studies, business plans, and marketing documents.