Enterprise Risk Management: A Methodology for Achieving Strategic Objectives

By Gregory Monahan

Written for enterprise risk management (ERM) practitioners who recognize ERM?s value to their organization, Enterprise Risk Management: A Methodology for Achieving Strategic Objectives thoroughly examines operational risk management and allows you to leverage ERM methodology in your organization by putting author and ERM authority Gregory Monahan's Strategic Objectives At Risk (SOAR) methodology to work. A must-read for anyone interested in risk management as a strategic, value-adding tool, this no-nonsense book shows you how to use ERM and SOAR to empower your company to go from stuck to competitive.

• Language: English
• Publisher: Wiley
• Release date: Dec 3, 2008
• ISBN: 9780470447468

Book preview

Introduction

This book introduces a methodology for the management of risks faced by organizations: strategic objectives at risk (SOAR). It employs a process with SOAR as its acronym. I differentiate between a methodology and a process in this way: A process is a series of predefined steps that, when executed, results in some outcome(s). A methodology is a framework that encompasses a number of elements, including, in particular, people and processes. This book focuses on the application of the SOAR process to risks associated with strategic objectives. I believe risk management has been inadequately applied to this field to date, largely because no one has been able to define a widely acceptable methodology. The SOAR methodology is not restricted to this application; in fact, it can be applied to managing any desired (and uncertain) outcome.

One of the titles I considered for this book was A Recipe for Enterprise Risk Management. If you think of a recipe as a formula or procedure for doing or attaining something, as it is described in Webster’s dictionary, then this is precisely what this book provides. This definition implies that if you want to get the result, you have to actually do something. This book simply tells you what it is you need to do. Another familiar definition of recipe is a set of instructions for making something from various ingredients. The first part of this definition is practically the same as that given in Webster’s dictionary, but the second part adds something new: the concept of ingredients. This book identifies the ingredients required to conduct effective enterprise risk management.

Enterprise risk management should not be confused with other similar concepts, such as enterprise-wide risk management. Within this book I prescribe a methodology for managing risks associated with strategic objectives. Literature abounds on how to manage other risk types, such as market risk, reputational risk, operational risk, project risk, or credit risk. Enterprise-wide risk management is (usually) about ensuring that the organization has in place risk management frameworks for each of these different risk types and does not attempt to address risk management in terms of the overall health of the organization as it strives to achieve its stated objectives. Enterprise-wide risk management (usually) relates to the notion of providing senior managers a one-stop shop (often represented by the popularly named dashboard) where they can check that each of the business units is managing the risks it faces. The process usually involves the collection of megabytes of data from every nook and cranny of every office around the globe, the collation of data and storage in an enterprise data warehouse, and the production of many (usually too many) reports, including OLAP (online analytical processing). You have got to have OLAP reports, right? I am a firm believer in the notion that data is king, but I believe there are two different types of data: useful data and rubbish. The SOAR methodology relies on data. The timely collection, collation, analysis, and dissemination of data is critical to successful execution of the SOAR process. Nonetheless, the volume of data required under the SOAR process is likely to be tiny. The two most important characteristics of data employed within the SOAR process are that it be accurate and timely; quality is certainly more important than quantity.

I advocate that the enterprise risk management framework be managed by an independent enterprise risk management office, that is, a dedicated group of resources who are completely independent of any of the operational units within the organization. I believe that the enterprise risk management office has the greatest chance of success if it is operationally independent of the organization, subject to appropriate transparency of the organization. I object to ownership of the enterprise risk management program by the chief financial officer or internal audit for a number of reasons, discussed in detail later. I will say just a few words now. The SOAR methodology is not an audit process; it is a management process. I advocate that the process be controlled by a dedicated enterprise risk management office for a few reasons. The first one is to make enterprise risk management seem important. Because of the long-term nature of strategic objectives and because the activities associated with strategic plans often are quite removed from daily operations, you can imagine that a process around managing risks associated with strategic objectives might be considered unnecessary. Skeptics might argue that organizations have been achieving strategic objectives so far and suggest that a disciplined approach to the management of risk is not required. As mentioned earlier, I am not going to sell the concept of enterprise risk management. The results of enterprise risk management under the SOAR methodology will speak for themselves in time. I am certain that organizations managing their strategic plans under the SOAR methodology will be more successful than those that manage their strategic objectives by any other method, including no method. Until then, I believe it is a good idea to help people believe in both the concept and the methodology by making it seem important through the dedication of expert resources. The second reason for an independent enterprise risk management function is to test the importance of your strategic objective. If it is not important enough to warrant investment in dedicated resources, why are you doing it? The third reason for recommending that the SOAR methodology be owned and managed by a dedicated enterprise risk management office is to ensure it is applied correctly. In time, senior managers responsible for the management of strategic objectives may be qualified in the SOAR methodology, just as some people are Six Sigma black belts. At that time, a dedicated enterprise risk management office may not be essential, and responsibility for management of the SOAR methodology can be given to the owner of the objective.

I need to note a couple of things on the example (strategic) objectives I use throughout this book. In stating the example objectives, I have been lazy. I might, for example, say something like The objective is to increase profit. I know that this is a poorly defined objective; a better expression of that objective might be something like The objective is to increase group net profit by 10% per annum over the next three years. I am a big fan of SMART (specific, measurable, actionable, realistic, time-bound) objectives, but I am also an advocate of focus. The focus of this book is not on defining (strategic) objectives, so I have deliberately belittled the objective through lazy expression of it. This book demands that you consider strategic objectives as desired outcomes for which you are striving and that you recognize that the desired outcome is one of many possible outcomes. Just think of playing Frisbee with someone. Ordinarily, you attempt to throw the Frisbee so the person can (run a bit and) catch it. If the person misses it and it hits them in the eye, blinding him or her permanently, you have failed to achieve your objective despite correctly executing your plan. The point is that execution of almost any plan has multiple possible outcomes (usually of varying probabilities), some of which are more desirable than others. If you think of a plan that has only one certain outcome, good for you. That sort of outcome (and its associated plan) does not need management of the type prescribed here.

A fundamental prerequisite for applying the SOAR methodology is that a number of outcomes are possible and that they are not all equally desirable. If all of the possible outcomes are equally satisfactory (in relation to achieving your objective), then risk management is not required. Furthermore, you should apply (risk) management only if you have the ability to influence the outcome. Let us say you hold a traditional six-sided die and you want to roll a 1; that is, rolling a 1 is your (most highly) desired outcome. You know you have a 1 in 6 chance, right? Unless you have the ability to manipulate the die itself, by, say, replacing the 2 with a 1, or weighting the 6, you should just throw it and cross your fingers for luck.

I would like to examine one of the prerequisite conditions—that the outcomes are not equally desirable—in a little more detail. I will do so without going too deeply into a fascinating and equally frustrating field that I am determined to avoid: human behavior. Not highlighting the fact that human behavior undermines the robustness of the SOAR methodology (and any other methodology that requires human intervention) could be considered negligent. Or I could excuse my failure to mention it on the basis that I assumed everyone knows that humans are irrational and there is no reason for this to change simply because the SOAR methodology is applied. Here I will talk about human behavior as it relates to desire. I will talk about one other area of human behavior—risk aversion or risk appetite—a little later as part of our discussion on managing human behavior, one of the elements of the react step of the SOAR process.

In the 1700s, Daniel Bernoulli posed the notions of expected utility and diminishing marginal utility. Expressed very simply, Bernoulli suggested that the same outcome does not produce the same effect on different people. An example might be the value person A derives from winning $100 versus the value person B gets from winning $100. Bernoulli suggests that if person A is wealthier than person B, person A will derive less value from the prize. Sounds reasonable to me. I have written value in quotation marks as it is a somewhat tricky term to define. Alternatives might be joy, pleasure, satisfaction, or even utility (to name a few). Whether you accept the detail of the theory (you may find it interesting to read) or not, Bernoulli’s theory has implications for the application of the SOAR methodology. Furthermore, Bernoulli suggested that the same outcome may not always be judged to provide the same value by the same person under different circumstances. An example of this might be a person’s decision to travel X miles to save $5 off a $10 item but decide not to travel the same distance to save the same amount off a $1,000 item.

The SOAR methodology aims to steer the organization toward attaining its strategic objectives. As soon as you recognize a strategic objective as a desired outcome, the implication of Bernoulli’s theory slaps you in the face; desire (differing from pleasure only in time) is a personal thing and tricky to measure. So how can the desirability of different outcomes be measured accurately? Even when the possible outcomes are unambiguously measurable, their desirability is not. The example just given is a great example; a saving of $5 is worth exactly $5, regardless of the original value of an item, but Bernoulli’s theory suggests that the value to the saver is not consistent. Take the case where an organization wishes to achieve sales of $100 million over the next 12 months. Will achieving sales of $95 million be completely unacceptable, or is it almost as good (say 95% as good) as hitting the target? What if the organization achieves sales of $105 million; is that better, worse, or the same as achieving the desired level? When money is involved, it is usually pretty reasonable to take the monetary value as a proxy for value (or the measure of desire), but more is not always better, as the excess can be used as evidence of a lack of control over outcomes. One example of this is where an organization reports greater than forecast profit and its stock price falls!

This book prescribes a methodology that enables you to increase the chances of attaining your organizational objectives. The methodology includes rules for determining metrics to measure outcomes. Acknowledging the merit in Bernoulli’s utility theory, the method requires that metrics incorporate desirability. A quick example might be in relation to a financial objective: to achieve sales of 100 million units over the next year. We could set the metric as number of units sold and we could set the target value equal to 100. Or we could get a little more sophisticated and do something like set the metric equal to sales objective metric (something that we just made up) and set the target value equal to 3. If the number of units sold is between 95 and 110, then sales objective metric equals 3. If the number of units sold is between 90 and 95, then the metric value equals 2; and for sales less than 90, the metric equals 1. If the number of units sold is anything above 110, the metric value is 2. The reasons for taking this approach include our need to include the notion of desirability in the measurement of the outcome. If sales of 100 million units and 101 million units are equally desirable, we may as well treat those two possible outcomes as equally desirable. You do not have to do it this way. We will discuss the process for setting metric values in detail later as part of the set step of the SOAR process. For now, just keep in mind that we have discussed the notion of desirability and I have suggested that our measurement should include this concept.

CHAPTER 1

Defining Enterprise Risk Management

Atrusted colleague and friend advised me that I should not begin with a definition of the term enterprise risk management. After much deliberation, I have decided to include my definition, because I feel it is imperative that you and I share a common understanding of what I am writing about in this book. If you accept my definition, then you can consider everything else I espouse within the context of this definition. If you prefer some other definition, you probably should consider whether the other things I say need to be adjusted for your preferred definition. That said, and with respect and thanks to my friend for his advice, I begin with definitions gleaned from Merriam-Webster’s Eleventh Collegiate Dictionary of each of the words in the phrase:

Enterprise A unit of economic organization or activity; especially: a business organization

Let us proceed on the basis that an enterprise is a group of legal vehicles, divisions, business units, and so forth that make up an organization. I like the term organization, because it seems to carry less connotation about the nature of the organization than, say, company or business. In my view, organization carries no connotation of size, operation, or objective; it could just as easily be a local symphony orchestra as it could be the U.S. Federal Reserve or Barclays PLC. So an enterprise is an