Atkinson, William
Depending on the size, nature and complexity of a company, different enterprise risk management (ERM) strategies must be applied. A mammoth corporation such as Bentonville, Arkansas-based Wal-Mart Stores, Inc. requires a simplified process that can evaluate and mitigate the many risks that the company faces. In the 1990s, Wal-Mart's chief financial officer at the time, John Menzer, asked vice president John Lewis to formulate a corporate ERM plan.
Wal-Mart created a five-step process designed around four basic questions: What are the risks? What are we going to do about these risks? How will we measure whether we are having a positive or negative impact on the risks? How will we demonstrate shareholder value?
The Five-Step ERM Process
Step One - Risk Identification. In this step, a risk map evaluates risks on an XY-axis, with the X-axis representing probability and the Y-axis representing impact. This helps to prioritize what are seen as Wal-Mart's biggest risks.
"We schedule a four- to five-hour risk identification workshop, which helps to get senior leadership thinking about what risks may keep them from meeting their business objectives," says Michael Tush, Wal-Mart's director of information systems audit and enterprise risk management. However, the process actually starts about a month before these workshops begin. First, business objectives are clearly defined, such as growing sales, ensuring profit increases, opening "x" number of new stores, etc. "We identify the business objectives against which we want to evaluate risk," Tush explains. "We then send out an information packet to the workshop participants where we have identified the framework."
The framework is based on seven risk categories that are subcategorized into either external risks or internal risks. The external risk categories are: legal/regulatory, political and business environment (economy, e-business, etc.). The internal risks are: financial, strategic, operational and integrity (embezzlement, theft, fraud, etc.).
"We ask the leadership team to identify what they believe to be the top five risks that they think will keep them from meeting their business objectives for the next 18 to 24 months," says Tush. "They send us their responses, and we compile them, ending up with about 20 to 30 risks, which is what we take into the risk identification workshop."
When it is time to vote, there is often a range of voting, where one person will vote on a particular risk as being a one (low), while someone else will vote on it as a 10 (high). "At this point, we ask for more information and details and keep discussions going until we can come to some agreement," he says. "I find this process to be lascinating."
Step Two - Risk Mitigation. This step involves another facilitated workshop, where the three to five most important risks are further defined. During the mitigation workshop, the people who will be impacted most by a specific risk will be invited to participate. For employee risks, for example, these would include people from the operations, human resources, training and legal departments. Once the risk is identified and quantified, the participants create project teams, in areas such as recruiting, training and retention.
One goal of the mitigation workshops is to reduce the workload for the managers involved. To do this, the team conducts an initiative inventory of the procedures that are already in place to address a specific risk. They then pose questions such as: When and why did we start these initiatives? How are we measuring them? Are these initiatives effective? The answers to these questions will help the team identify unnecessary activities that can be eliminated.
Step Three - Action Planning. In this phase, the project teams meet and create simple project plans that identify who will do what by when. The teams then spend several months implementing their project plans.
Step Four - Performance Metrics. "Next, we measure whether the project plans are having a positive or negative impact on the identified risks," says Tush. "We always make sure that the performance metrics do three things." The metrics must first measure results, not activity. The team does not measure the number of training days. Instead it measures the results of the training, such as the ability to increase productivity at the store level. Metrics must also show target performance versus the actual performance and demonstrate trends over time.
Step Five - Shareholder Value/Return on Investment. In order to make sure that the action plans and results end up increasing shareholder value and return on investment, the main goal of this step is to evaluate whether or not the project was able to increase sales or lower expenses.
ERM in Action
As with most new processes, there were challenges ahead. Tush found that the most difficult part of the process was maintaining momentum. "We did our first pilot in Canada in late 2000," recalls Tush. "Once we got started with the identification and mitigation workshops within a business group or country, it was challenging to maintain momentum completely through the process to end up with strong performance metrics, shareholder value and ROI."
In May 2003, however, Wal-Mart hired Craig Paris to work with Tush on the ERM process, and this is helping to navigate leadership teams through all five steps of the process.
Prior to joining Wal-Mart, Faris, the company's senior manager of enterprise risk management, worked at Chicago-based Amoco for 17 years, where he was involved in strategic planning, risk management, organizational change and process improvement. "When I came here, the ERM program had been going for a couple of years and had a very good handle on risk management mitigation," says Faris. "I saw a lot of opportunity for taking it from mitigation to opportunity capture relative to risk."
Faris focuses his risk evaluation at three levels at Wal-Mart-high level consolidated corporate risk, focusing on the global risk portfolio, international risk and risk at the functional group level.
In the early stages of the ERM initiative, internal audit worked closely with Wal-Mart's risk management department to develop and refine its five-step process. Other members of the team that developed the ERM process included internal audit, loss prevention and corporate security and training.
"We still work closely with risk management," says Tush. "Every Friday afternoon, for example, we have a risk analysis team meeting chaired by the risk management department."
Results
Leadership at Wal-Mart has responded well to the opportunities that the company's ERM process offers. Mario Pilozzi, the company's country president in Canada has been very active with the process. A year ago, he presented his results at the audit committee meeting. He reported: "ERM helped us identify clear deliverables directly related to risk mitigation, it enabled the team to remain focused on key risk areas, and ERM challenged us to tie our results from our action plans to the bottom line and shareholder value."
What results and benefits has Tush seen companywide? "First and foremost, we are now much more focused on what our major risks are and what we can do about them," he says. "In other words, ERM is not an enlightenment process, in that we don't go into any countries or business units and help them identify risks with which they are not already familiar. Rather, we help them identify and focus on the few that are the most important to address."
The Future
The team has yet to arrive in all of the countries where Wal-Mart currently does business. But plans are being made to complete work in the four remaining territories-Argentina, Puerto Rico, Korea and Germany-within the next year.
Tush also envisions looking for ways to strengthen and automate the capture and reporting of performance metrics. "Right now, we do it manually," he explains. "We want to establish a Web-based application so we can better track our performance metrics."
The next goal for Paris is to help take the concept of ERM from a compliance and business necessity perspective to a business opportunity capture perspective. "This is where the field is wide open," Paris says. "When you really have a good understanding of risk, it opens up a whole new field of opportunity for the organization."
William Atkinson is a freelance writer based in Carterville, Illinois.
Copyright Risk Management Society Publishing, Inc. Dec 2003
Provided by ProQuest Information and Learning Company. All rights Reserved
No comments:
Post a Comment