This project was commissioned by the Committee of Sponsoring

Organizations of the Treadway Commission (COSO), which is

dedicated to providing thought leadership through the development
of comprehensive frameworks and guidance on internal control,
enterprise risk management, and fraud deterrence designed to
improve organizational performance and oversight and to reduce the
extent of fraud in organizations. COSO is a private sector initiative,
jointly sponsored and funded by:
• American Accounting Association

• American Institute of Certified Public Accountants

• Financial Executives International
• Institute of Management Accountants

• The Institute of Internal Auditors

space above copyright

©2018 All Rights Reserved. No part of this publication may be

reproduced, redistributed, transmitted, or displayed in any form or by any
means without written permission of COSO. P254469-04 0118
break

Committee of Sponsoring
Organizations of the Treadway
Commission
Board Members
Robert B. Hirth Jr. Richard F. Chambers Mitchell A. Danaher
COSO Chair The Institute of Internal Financial Executives
Auditors International

Charles E. Landes Douglas F. Prawitt Sandra Richtermeyer

American Institute of Certified Public American Accounting Institute of Management
Accountants Association Accountants

PwC—Author
Principal Contributors
Miles E.A. Everson Dennis L. Chesley Frank J. Martens
Engagement Leader and Global and Project Lead Partner and Project Lead Director and Global
Asia, Pacific, and Americas (APA) Global and APA Risk and Risk Framework and
Advisory Leader Regulatory Leader Methodology Leader
New York, USA Washington DC, USA British Columbia, Canada

Matthew Bagin Hélène Katz Katie T. Sylvis

Director Director Director
Washington DC, USA New York, USA Washington DC, USA

Thomas Holland Sallie Jo Perraglia Andrise Scott

Manager Manager Manager
New York, USA New York, USA Washington DC, USA

Maria Grimshaw
Senior Associate
New York, USA

Additional PwC Partners, Principals, and Staff

Glenn Brady Peter Claude Peter Frank
Partner Partner Principal
Missouri, USA New York, USA New York, USA
Rob Gormly David Fisher
Principal Managing Director
Washington DC, USA Washington DC, USA

Additional Contributors
PwC also wishes to thank Violet Rukambeiya, Derrick Sturisky, and Kathleen Crader Zelnik for their
contributions to the development of the Compendium.
break

Table of Contents

Foreword
1. Introduction
2. Governance in a Higher Education Institution
3. Culture in a Government Entity
4. Culture in a Financial Services Company
5. Strategy and Objective-Setting in an Energy Company
6. Strategy and Objective-Setting in a Not-for-Profit Entity
7. Performance in a Consumer Products Company
8. Performance in a Technology Company
9. Review and Revision in an Industrial Products Company
10. Risk Information in a Healthcare Company
break

Foreword
In keeping with its overall mission, the COSO Board commissioned
and published in 2017 Enterprise Risk Management—Integrating with
Strategy and Performance. That publication recognizes the increasing
importance of the connection between strategy and entity
performance as well as concepts and applications of enterprise risk
management. The second part of that publication, the Framework,
accommodates different viewpoints and organizational structures to
enhance strategies and decision-making. It also sets out core
definitions, components, and principles, and it provides direction for
all levels of management involved in enterprise risk management.

During the development of Enterprise Risk Management—Integrating

with Strategy and Performance, the PwC Project Team received
requests for the publication to include examples of the Framework in
use. The publication you are reading now responds to that request,
providing illustrations of how organizations of different types and
sizes and in different industries and geographies might choose to
apply these principles. All the examples were developed by
identifying industry practices through interviews, case studies, and
research.
Each example focuses on a specific industry, but those in other
industries can benefit from the insights. Similarly, while each example
describes how a different entity has scaled and adapted the
principles, other entities can use the information as they see fit.

The COSO Board would like to thank PwC for its significant
contributions in developing Enterprise Risk Management—Integrating
with Strategy and Performance: Compendium of Examples.

Dennis L. Chesley
Robert B. Hirth Jr. PwC Project Lead Partner and
COSO Chair Global and APA Risk and Regulatory
Leader
break

1. Introduction
The COSO publication Enterprise Risk Management—Integrating with
Strategy and Performance sets out a relationship between an entity’s
mission, vision, and core values; its strategic goals and directions;
and the approaches used in carrying out its strategy.
This complementary publication offers a compendium of examples to
illustrate how an organization might apply principles from Enterprise
Risk Management—Integrating with Strategy and Performance to its
day-to-day practice. Each example highlights specific principles that
are relevant to entities of different types and sizes in different
industries. Together, the examples relate to each of the five
components and twenty principles set out in the Framework.

How to Use This Document

To get the most out of this publication, your organization should
consider the principles in the Framework and how to tailor them to
the particular strategies, business objectives, risks, and opportunities
for the entity. The first step is to think about the size, scale, and
complexity of your organization, and then find the section that best
applies (see below).
Each example is a standalone case, which means that not all aspects
of the components and principles are illustrated in each case. Nor are
the examples meant to provide “how-to” instructions or illustrate best
practices. But all the components, principles, and definitions
illustrated here are discussed in Enterprise Risk Management—
Integrating with Strategy and Performance, and you should refer to
that publication for a comprehensive discussion of how entities
design, implement, and oversee enterprise risk management.
Keep in mind that this compendium of examples is written from the
perspective of day-to-day business practices, which does not
preclude a risk management function from having its own separate
activities. In many cases, a risk function exists within a regulated
industry that must adhere to specific activities set by the regulators.
This publication is not intended to interpret or supersede
regulations that apply to any entity.
Also note that smaller entities may apply these principles using
different approaches. For example, all public companies have boards
of directors or other similar governing bodies with oversight
responsibilities relating to the achievement of an entity’s strategy and
business objectives. A smaller entity may have a less-complex
operation, governance and operating model, and organizational and
legal structure. Management may also communicate more frequently
with directors, enabling greater reliance on board oversight for
enterprise risk management practices.

Some entities that are just beginning to develop enterprise risk

management capabilities may find the examples to be complex, while
entities that have more advanced enterprise risk management
capabilities may find them simplistic. Keep in mind that this
compendium was written for a wide audience and is not intended to
be tailor-made for any one organization. Rather, it provides additional
context and understanding to the Framework.

What the Examples Include

The examples have been developed for entities of different sizes
(local, national, international) and in different sectors, organized as
follows:

Local
• Financial services company (Chapter 4)

• Consumer products company (Chapter 7)

National
• Government entity (Chapter 3)
• Energy company (Chapter 5)

• Technology company (Chapter 8)

• Healthcare company (Chapter 10)

International
• Higher education institution (Chapter 2)

• Not-for-profit entity (Chapter 6)

• Industrial products company (Chapter 9)

Applying the Principles

The examples in the various chapters show how the principles can be
applied, with each focusing on aspects of different components
covered in Enterprise Risk Management—Integrating with Strategy
and Performance. Each example:
• Provides context to the industry in which the illustrated entity
operates (both external and internal environments).
• Provides background information on the specific entity.
• Highlights the applicable principles.
• Discusses in detail how the organization applies those principles.

• Shows how enterprise risk management is integrated with the

business.
• Summarizes the key benefits of those enterprise risk management
practices.
Please note that the names of organizations and people in the
examples are fictional, and any resemblance to actual organizations
and people is coincidental.

What Principles Are Covered

Table 1.1 shows which principles are primarily illustrated in the
examples for each type of entity (denoted by a “♦”). Some of the
examples include secondary information beyond the primary
principles to provide context (e.g., information about the risk appetite
or business context), denoted by a “■.” The presentation of the
examples follows the order of components in the Framework that the
principles primarily relate to (Governance and Culture; Strategy and
Objective-Setting; Performance; Review and Revision; Information,
Communication, and Reporting).
break

2. Governance in a Higher
Education Institution

Industry Context1
Higher education, often referred to as postsecondary or tertiary
education, refers to learning delivered by universities, academies,
colleges, seminaries, and institutes of technology that award
academic degrees or professional certifications at the successful
conclusion of a program of study. Many of these institutions also
have research programs driving technology developments, scientific
discoveries, and innovation in all disciplines.
Higher education entities may be influenced by any or all of the
following external factors:
• Government policies and funding that impact operations and
revenue streams.

• Pressures from business and other external stakeholders that

challenge institutions to better account for student outcomes.

• Increased competition from international institutions in attracting

students.

• Technology that has fueled the growth of on-line programs

purporting to offer greater flexibility, accelerated learning, and lower
tuition for students.
• Legal uncertainties relating to intellectual property ownership,
authority of course materials, and academic freedom for teaching
and research staff.
They may also be influenced by the following internal factors:
• Pressures to maintain certain levels of domestic and international
student enrolments, which have an impact on forecasted revenue
from student tuition and the reputation of the university.

• Challenges in attracting and retaining highly skilled faculty and

administrative staff capable of developing challenging curricula and
supporting the changing operating needs of the institution.
• Student activism relating to operating decisions that affect the
direction and scope of student learning, research programs, and
academic freedom.

• Requirements for complying with all laws and regulations

concerning ethics, privacy, cyber risks, operations, and campus
safety.

Institutions typically finance their operations through a combination of

student tuition, government funding, grants, donors, and other
sources of income. This involves:
• Attracting and maintaining international and domestic student
enrolments to generate tuition fees.
• Meeting the standards required for government funding, borrowing,
research grants, and subsidies based on the institution’s reputation
for academic rigor and innovation.
• Entering into business partnerships with private enterprises,
industry groups, and other organizations in pursuit of a common
objective.
• Soliciting financial support from alumni and other benefactors
through lobbying, outreach, and marketing programs.
• Managing the financial assets of the institution.

Key Benefits of Enterprise Risk

Management in the Example
This example shows how boards can use enterprise risk management
to identify and manage entity-wide risks and reduce performance
variability.

Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 1: Exercises Board Risk Oversight–The board of directors
provides oversight of the strategy and carries out governance
responsibilities to support management in achieving strategy and
business objectives.

• Principle 2: Establishes Operating Structures–The organization

establishes operating structures in the pursuit of strategy and
business objectives.
Aspects of the following principles are also demonstrated:

• Principle 8: Evaluates Alternative Strategies–The organization

evaluates alternative strategies and potential impact on risk profile.
• Principle 14: Develops Portfolio View–The organization develops
and evaluates a portfolio view of risk.
• Principle 20: Reports on Risk, Culture, and Performance–The
organization reports on risk, culture, and performance at multiple
levels and across the entity.

Facts and Circumstances2

The university in this example is a highly prominent institution based
in Southeast Asia within a network of partner universities in Europe
and North America. It is renowned for its Schools of Business and
Medicine as well as its executive MBA program, all of which attract
students from around the globe. It has 30,000 students and over
6,000 employees (faculty and administrators).

The eleven-member board that oversees the university is made up of

representatives from the business, legal, and medical communities;
alumni; and faculty and student population. Six board members are
considered independent directors. The president of the board is a
retired executive and alumnus of the university who assumed the role
four years ago.

Recently, the university’s student enrolment has declined and

financial results have not met forecasts. There have been several
contributing factors to these trends:
• The rise of international on-line MBA programs that are luring
students with promises of accelerated paths to completion and
lower living and tuition costs.
• Increasing requests for programs of study and research in emerging
fields of technology, analytics, bioscience-, and aerospace that
require a higher cost of delivery.
• Changes to the laws affecting pension plans, which have increased
labor costs.
• Lower than expected returns on the university’s investment portfolio
due to deterioration in the local stock market and confidence in the
regional economy.

• Legacy operating systems and technology that are increasingly

disruptive to the efficiency of internal processes and operations.
• Increased security costs and student support services following a
series of on-campus incidents and cyber bullying attacks.

During an analysis of its various revenue streams, the university

identified that non-tuition related revenue was lagging behind the
other revenue sources (see Figure 2.1). Therefore, as part of its
longer-term planning, the university is exploring opportunities for joint
ventures and third-party relationships to support the achievement of
its strategy and business objectives.

The university has already met with one investor, Lambda Labs. A
partnership with Lambda Labs would see a multiyear investment in
the university’s infrastructure and provide a welcome injection of
working capital. As a part of a regular review of board oversight and
to bolster stakeholder confidence, the board intends to enhance
transparency of its governance, oversight, and risk management
systems.

Lambda Labs stated that while the financial reporting and forecasting
information already provided was critical to their decision to pursue
further discussions, they require greater visibility and information on
the risks and potential impacts on the university’s long-term
performance. As an example, Lambda pointed to the increasing
number of student protests occurring over proposed curriculum
changes and funding decisions, and the impact those could have on
the university’s reputation and its ability to attract future investments.
Discussion
Designing Board Oversight
The board is supported by three existing sub-committees designed to
oversee the performance of the university in relation to its mission,
vision, and core values. The board delegates authority to each of the
committees, which is outlined in greater detail in their respective
charters:
• Investments Committee: oversight of the investments portfolio in
line with the university’s risk appetite.
• Audit Committee: oversight of financial reporting and audit matters.

• Remuneration and Nomination Committee: appointment and

remuneration of the board of directors, where applicable, and senior
management.

The board retains governance and oversight for the following:

• Authorization and accreditation of the university by the ministry of
education.
• Review of and concurrence with the university’s strategy and risk
appetite.

• Approval of financial statements and significant investments.

• Approval of designated policies and procedures including staff and
academic codes of conduct.

The board identified increasing third-party arrangements as an

opportunity to enhance revenue, and it is responsible for reviewing
proposals to enter into any significant arrangements. Given the
increasing number of such proposals, the board has struggled to
manage this particular responsibility. In recent board meetings, some
directors have expressed concern about the volume of applications.
Many of the proposals are highly technical or in specialist areas
outside the experience of the directors, which adds to the time
required to review them.

When reviewing a third-party proposal, the board is typically provided

with information on the purpose of the agreement, performance
targets, potential risks, and ongoing performance-monitoring
approaches. But board members have long expressed reservations
about the level and quality of information provided. They tend to
focus on the assumptions provided that underpin the proposed
arrangements and on any contingent payments or obligations placed
on the university under the contract, including any that could affect
the future accreditation of the university.

As a part of the regular review of board oversight and in an effort to

enhance its reporting, the board decided to make the following
changes:
• All board members will be required to complete training offered by
the National Institute of Board Directors. The training course
highlights the responsibilities of directors and includes sections on
enterprise risk management.
• Future director nominations will focus on increasing the diversity of
experience and expertise of board members in line with the
university’s mission, vision, and five-year strategic plan. Future
candidates will be considered from a range of fields including
technology, sciences, and geopolitical and regulatory affairs.

• To help add rigor, consistency, and efficiency to the review

process, and to improve transparency, the board will establish a
management steering committee to improve the university’s risk
management capabilities and practices when assessing potential
partnerships.

• The new steering committee will be given the task of reviewing the
university’s current reporting capabilities and proposing
improvements to provide better insight into performance and the
 portfolio view of risk.

Creating a Steering Committee

At the request of the board, the chief financial officer and chief
operating officer created a steering committee comprising
representatives from each of the schools, the Office of Industry and
Commercial Liaisons, information technology teams, and other core
administrative functions. The following objectives of the steering
committee were set:

• Develop criteria for evaluating third-party agreements that align with

the university’s five-year strategic plan and cover a range of
strategic, performance, and risk considerations.

• Develop new integrated performance reporting for the university

that expands on the current financial reporting of key performance
indicators.

The steering committee began by examining the university’s

longstanding mission, vision, and core values:

• Mission: To provide world-class academic and research

opportunities.

• Vision: To be the leading university of choice in academic

excellence enabling staff and students to contribute to the
advancement of society.

• Core values: The pursuit of academic excellence and quality,

integrity, freedom of enquiry and expression, diversity, and
inclusion.

Key Observation

By highlighting the assumptions that underpin the strategy and business objectives, or
the assessment of risks, the organization is in a better position to identify changes to the
 risk profile and performance of the entity in a timely manner.

Next, the committee looked at the university’s five-year strategic

plan, which is based on the mission, vision, and core values, and
considers risk appetite. The strategic plan has four parts, each of
which provides a detailed description of the supporting business
objectives, activities, and anticipated resources to achieve the overall
strategy:

• Delivering academic excellence.

• Fostering innovation and advancement.
• Supporting the needs of the future economy.

• Optimizing financial and operational performance.

The steering committee identified and assessed risks related to the
strategy and performance of that strategy. In addition, the team
worked closely with other stakeholders to identify the assumptions
underpinning the strategy. Those assumptions included anticipated
growth of student enrolment, levels of government funding and other
grants, and developments in technology and science that drive
interest to particular areas of research. Other assumptions concerned
funding allocations, regulatory requirements, and policy objectives.

Designing Relevant Reporting

Figure 2.2 is an extract from the university’s five-year plan, showing
the risks identified during the strategy-setting process and
assumptions underlying the business objective and performance
target.
 Key Observation

By using the strategy and business objectives to structure a report, an organization will
more clearly highlight information relating to new and changing risks and the impact to
performance. Those who use the report can observe how one risk may impact multiple
objectives, or how changes in the business context may impact more than one risk.

Considering the risks identified, the new steering committee decided

on the following approach to improve the university’s current
reporting capabilities:
• Confirm who is anticipated to use the reports and what the specific
reporting requirements of those users are, given their
responsibilities. Report users are likely to include:
− Members of the board with responsibility for governance and
oversight of the university.

− The ministry of education that retains regulatory oversight over

many of the university’s functions, including accreditation,
 government funding, and quality assurance.
− Potential third-party investors and partners who are looking for
insights and confirmation of the university’s financial and
operational performance and the portfolio view of risks that are
managed on an ongoing basis.

− External auditors and ratings agencies.

• Agree on the performance and risk information that should be

periodically reported to the board.
• Identify the resources and capabilities required to develop ongoing,
integrated reporting.
• Assign roles and responsibilities.

At the time, the university was using a “balanced scorecard

approach” for reporting, which covered the four parts of the strategic
plan (see Figure 2.3). The steering committee decided to retain that
approach. It reviewed the list of indicators, selecting which it would
periodically report on to the board, and whether any additional
context and analysis would be needed.

Figure 2.3: University Monthly Management Report—Executive Dashboard3

 Key Observation

The rating and trend analysis was completed in relation to objectives, not risks. This
approach focuses the board on performance-related conversations rather than risk-
centric conversations.
The balanced scorecard included key indicators and trends for each
business objective to highlight levels of performance and identify
potentially manifesting risks. The analysis, included in the monthly
management report, integrated the discussion of performance and
risk to provide context to the university’s level of confidence in
achieving its strategy and business objectives (see Figure 2.4).
The analysis also permitted the university to highlight those risks or
trends that impact more than one section of the strategic plan. As an
example, the increase in university partnerships with industry and
commercial entities influences the risk profile of Part 3, Supporting
the Needs of the Future Economy, and Part 4, Optimizing Operational
and Financial Performance.
Once it improved its reporting practices, the university was able to
provide greater transparency of its current and forecasted
performance to share with potential third parties. In the case of
Lambda Labs, the pharmaceutical research group was seeking to
partner with the university to build a state-of-the-art research
laboratory that would house world-class research teams and teaching
facilities for undergraduate and postgraduate medical students. The
construction of the laboratory would be seen as a competitive
advantage in recruiting students and bolstering the quality of the
academic curriculum and teaching capabilities.

As part of the proposed contract, Lambda Labs included a provision

granting them an exclusive license and patents to the use of any
inventions produced as result of the contract. Using the evaluation
criteria, the members of the steering committee compared the effect
of the agreement on the university’s projected financial performance
and its objective of maintaining a rigorous academic curriculum.
• The Office of Industry and Commercial Liaisons (OICL) identified
that the agreement would be highly lucrative to the university and
likely result in increased revenues from government funding and
grants, greater investment from other potential donors, higher
student admissions, particularly from international locations, and
less need to self-fund significant capital expenditures that would
have been necessary in the mid- to long-term. However, it also
identified the potential for the partnership to overperform in some of
these areas, which could challenge the capacity of the university.

• The steering committee also noted the potential of the academic

program. They identified two areas of concern in particular: actual
or perceived bias in the research, and the ability to maintain
academic freedom.

• Moreover, the impact of the proposed new research would have

mixed results on the ability to recruit and retain academic staff.
While the facilities themselves would likely entice more interest from
experienced researchers and faculty staff, the clauses in the
 contract that might affect academic freedom and cause the
perception of or actual bias would likely have an opposite effect.
The steering committee also identified clauses in the contract that
could impact existing employment contracts and performance
metrics relating to research and publication efforts.
The steering committee presented the findings to the board for their
consideration. Figure 2.5 is an extract of that report.

The following detailed analysis in Figure 2.6 outlines the anticipated

changes to the risk profile and performance of the university if the
research center were to be built.
In its oversight role, the board is required to balance the financial
windfall and reputational gains from any agreement against the
potential threats to academic freedom and independence of research.
In this case, the board ultimately decided to pursue the opportunity
with Lambda as it aligned with both its mission and vision and five-
year strategic plan, with the proviso that additional clauses be
inserted in the contract guaranteeing the university’s rights to
teaching, research methods, and publication that are free from
commercial influences.

Oversight Delivers Value

Prior to enhancing its enterprise risk management capabilities, the
board had taken a less rigorous approach to understanding risk when
venturing into new areas. The efforts in place today provide the board
with greater confidence that it has considered the full spectrum of
risks and evaluated the decisions on more than just the financial
merits, such as those offered by the Lambda deal.
Further, by updating reporting to include performance and the risks
associated with the levels of performance the university was
pursuing, the board had provided the information it needed to
exercise its oversight role. The reporting assisted the board in asking
more insightful questions and analyzing the level of risk it was
accepting relative to the partnership with Lambda Labs. Due to active
board oversight, the university was able to secure the partnership,
and revenue is expected to increase as the partnership goes into
effect. More timely and focused reporting also enables the board to
act sooner and with greater clarity, thereby reducing overall
performance variability.

1 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
2 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
3 For brevity, only select key performance metrics listed in Figure 2.2: Five-Year Strategy
Part 1: Delivering Academic Excellence are shown in the executive dashboard.
break

3. Culture in a Government
Entity

Industry Context4
Government entities often have complex and diverse missions that
set the stage for the overall strategy to provide services to the public.
Developing and carrying out a strategy can be complicated by
changes in budget, political climate, highly visible public oversight,
and even the overall mission. Many government entities face
significant resource constraints and declining budgets, which impede
their ability to hire in response to attrition and retirement. This
challenging environment often results in employees who focus only
on carrying out their day-to-day responsibilities, not the bigger
picture.
Government entities may be influenced by any or all of the following
external factors:

• Political landscapes that affect funding and priorities.

• Budget allocations by legislatures that impact the priorities of the

entity and any mission changes.
• Demographics, including population growth rates and age
distribution, that impact the size of the population the entity serves.
• Technological shifts that impact the type and amount of automation
within operations and the challenge to keep pace.

• Changing leadership within governments that create new priorities

or modify existing ones.
• Climate change, which impacts scrutiny of related government
 policies.
They may also be influenced by the following internal factors:
• Availability of capital, which depends on the current political
atmosphere and may require government to constrain activities or
quickly reallocate funds.
• Attrition and competition, which can impact the availability of highly
skilled labor.
• Operational failures that challenge the ability to carry out the
mission.
• Availability of investment for technology infrastructure that impacts
the ability to perform complex and interconnected activities.

Key Benefits of Enterprise Risk

Management in the Example
This example shows how a government agency changed its culture to
more effectively identify and manage entity-wide risks.

Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 3: Defines Desired Culture–The organization defines the
desired behaviors that characterize the entity’s desired culture.
• Principle 4: Demonstrates Commitment to Core Values–The
organization demonstrates a commitment to the entity’s core
values.
• Principle 5: Attracts, Develops, and Retains Capable Individuals–
The organization is committed to building human capital in
alignment with the strategy and business objectives.
Aspects of the following principle are also demonstrated:
• Principle 20: Reports on Risk, Culture, and Performance–The
organization reports on risk, culture, and performance at multiple
levels and across the entity.

Facts and Circumstances5

The Department of Local Enterprise is a government entity that has
experienced years of declining budgets and increasing mission
responsibilities. It also has been faced with an aging workforce,
resulting in a high rate of attrition due to retirement. These factors
have affected the department’s ability to effectively manage its
operations. For some time managers and employees have been
overwhelmed and, as a result, have focused on carrying out their day-
to-day responsibilities without considering performance or risk
implications.

The operational area that reviews applications for real estate

development has been particularly hard hit. Over one two-year
period, there was an increase in new, first-time applications, a trend
tied to revitalization efforts across several communities. Already short
staffed, the group was unable to keep up with the volume.
Consequently, there were severe delays in reviewing applications and
issuing permits—up to nine months in some cases, three times longer
than other permit-issuing entities. Worse, the delay snowballed. After
two years the backlog of a few hundred applicants grew to several
thousand.
Most of the employees who handled the applications considered the
situation at the time as being futile and just focused on reviewing
what they could in a day’s work. The few employees who tried to
discuss the situation with management had their concerns ignored.
This operational issue began to negatively affect the reputation and
trust of the entity when the media reported on the significant delays,
and external stakeholders expressed grave concerns about the
management of basic operations. The public embarrassment was
matched by calls for investigations into what went wrong. In
response, senior leadership met to discuss how they could solve the
application backlog by reallocating resources and considering
opportunities for more efficiency. But they also realized it was time to
address a growing cultural challenge, reiterate the department’s core
values, and look at creative ways to attract the next generation of
employees.

Discussion
Addressing Cultural Challenges
Russ Desjarles, the head of the Department of Local Enterprise,
recognized that the backlog of real estate development applications
was a symptom of a larger and growing operational and cultural
issue. Management at all levels had not been adequately evaluating
the performance and risk implications of their actions and using that
information to make better decisions. Additionally, the tone from
management suggested that employees should just focus on getting
their work done, not on raising issues of risk. Russ and his leadership
team acknowledged that this culture was causing problems to linger.

Key Observation

Defining roles and responsibilities for enterprise risk management at all levels of an
organization sets the expectation that it is not something left to those in charge of risk,
but something the entire organization must embrace and participate in.

The leaders agreed on a first step to evolve the culture to be more

risk aware: embed enterprise risk management capabilities into each
business unit in order to create a safe place for employees to talk
about risk and provide line of sight into each operating area. They did
this by creating the role of “risk ambassador” for each business unit.
These risk ambassadors were to be the primary link between their
business unit and senior management on issues of risk. They were
given the responsibility of helping their individual units develop
adequate risk management practices and infrastructure to identify,
assess, and treat risk at all levels of the operation. This organizational
model allowed the leadership team to be connected to every
business unit to drive training, communication, and feedback about
the cultural changes made.
Crucial to the success of this model was choosing the right people to
be risk ambassadors. Each ambassador needed to command respect
from both employees and the head of the business unit—for example,
a senior manager with a reporting line directly to the head of the
business unit. This helped to improve acceptance of the ambassador
within the business unit and made it more likely that employees
would be willing to discuss risks with them. The success of this effort
soon became apparent. Within the first three months of the program,
a risk had been brought up through the ambassador network, which
was then escalated to the head of the business and resulted in a
change to the process that kept the risk from manifesting.
Also important to the success of the model was the effort to
communicate the message from the top—that message being that a
fundamental change in environment was needed, one in which all
employees felt safe bringing up and discussing risks. Russ reiterated
this message in all meetings with employees at all staff levels. The
senior leadership discussed what was required to create a safe
environment, and they produced a webcast on how to do that. The
risk ambassador program showed the tangible commitment to the
new culture. Further, several early examples of employees escalating
risk information, and the department subsequently responding to the
risks without retaliation, communicated to the organization that
management’s efforts were sincere and that all comments would be
taken seriously.
Because Russ could not offer financial incentives to promote the
desired behavior, other types of rewards were established, including
being recognized by senior leadership. The new practices were
formalized into written employee roles and responsibilities, which
became part of the measure of individual employee performance
during annual personnel reviews. This action reinforced the message
that any deviations from the expected behavior would be handled
through the personnel performance management process.
Several statements of responsibility related to practices that were
intended to help move the organization toward the desired culture:

• Management creates a safe environment, which encourages

transparent risk identification by staff from across the units and is
supportive of open risk discussions.
• Management motivates employees to embrace risk management
and provides them with the tools and training to do so.

• Management encourages integrating risk in the decision-making

process.

• Risk ambassadors promote enterprise risk management awareness

through transparency in all directions and by sharing business unit
enterprise risk management successes and best practices.

• Employees understand and accept responsibility for identifying,

assessing, and managing risk.
Finally, the leadership team built on an existing strength to change
the culture: its successful training program. Historically, training had
been a primary catalyst for communicating transformational ideas. It
was also one of the only venues where employees could interact
across business units, so they generally looked forward to
participating in training. Leadership recognized the power of training
and decided to use it to address some of the cultural issues and to
enhance the organization’s overall risk capabilities. Training was
tailored to different staff levels to reinforce the desired behaviors at
each level. For senior management, training emphasized the
importance of building a culture where risk information is shared at all
levels. For employees, training emphasized the importance of
identifying and escalating risk information.

Key Observation

By aligning risk reporting with existing reporting processes, risk management is not
viewed as a separate activity, but as one part of managing performance and operations
at each level.

The positive results were soon apparent. For those employees in the
real estate development applications group, raising the level of risk
awareness through training allowed them to identify and
communicate risks to the objective of processing the applications,
which resulted in modifying the process and improving efficiency. At
another training event, Carina Mack, Cordell Bramble, and Madeline
Fromm, ambassadors from three different business units, identified a
risk that was common to them all. Considering the information in
aggregate changed the assessment of the risk and revealed a greater
exposure. The three ambassadors worked with their business unit
leaders to establish a small cross-functional team to develop the right
response to the risk. Carina, Cordell, and Madeline were
subsequently recognized by leadership for their efforts to identify,
prioritize, and treat the risk. In-depth risk management training is now
provided at least once a quarter to the risk ambassadors, since they
are responsible for embedding risk management practices and
capabilities into the operations of their respective units.

Russ has also made time for regular discussions on emerging risks. In
these discussions, ambassadors identify emerging risks, considering
the business context of the department and changes to the internal
and external environment. This practice has now been carried into the
regular processes of identifying business unit risks and strategic
planning.
Understanding Changes in the Culture
Having implemented several cultural changes, leadership wanted to
evaluate the impact of the measures taken. They already conducted
an annual employee survey with broad focus, and that had a good
participation rate. To avoid “survey fatigue” (which tends to drive low
response rate), they decided they could use the information from the
existing survey and build on it.
To that end, they collected the survey data from previous years and
reported the responses concerning culture to the risk ambassadors
and senior executives. Figure 3.1 illustrates the results of the survey
over eight years, with the changes in culture being introduced
between years 7 and 8. The four areas being tracked by the survey
show improvement, but did not reach 80%, which was the target.

Note that while the survey results did not drive culture change, they
provided point-in-time information on how behaviors were changing.
Senior executives were asked to review the trends and develop an
action plan to change behaviors in their units to drive a culture of
awareness and transparency for risk.

Designing Relevant Reporting

The issue of the real estate development applications revealed that
the leadership team did not have a comprehensive view of the
department’s top risks. In addition to taking steps to reinforce the
desired behaviors and encourage communication of identified risks,
senior leaders designed a risk-reporting process to provide
information that would enhance decision-making and performance
review. To that end, they developed a matrix showing the information
requested, who required it, and the frequency with which it was
requested.

Key Observation

You need to understand the stakeholders’ expectations for reporting before you begin to
design your reports. That’s the only way you’ll prepare a report that gives them what
they need.

The matrix provided what they needed to initiate two reporting

requirements (raise awareness of risk and better integrate risk into
decision-making). The first step was to tie the risks for each business
unit to the unit objectives and performance through the quarterly
business performance review. The discussion, which until this time
focused on detailed business performance, was modified to include
how the department assessed, prioritized, and responded to the
risks. The response discussion included the current response, the
progress of any planned responses, challenges that management
identified to implementing planned responses, and opportunities to
improve the process as a result of the analysis.

The second reporting requirement called for more formal

consideration of risk during the decision-making process. Both of
these reporting requirements increased transparency of the risks
being considered as part of business decisions and of how risks
impact the performance of the business unit. As well, they imposed a
consistency on management’s review of decisions.
Throughout the entire chain of command, leaders now expect
personnel to understand the risks at their level and be able to report
them. This expectation is built into the management structure, and
risk is a common agenda item at management meetings.

Building Human Capital

Russ and the leadership team at the Department of Local Enterprise
have continued to build a risk-aware culture with three specific
initiatives:

• To respond to the opportunity to attract the next generation of

talent (due to high attrition rate), they created a six-month rotational
program where participants work with the risk management team,
and then move into other management positions. This model allows
the program participants to see the value of openly discussing risk
and how risk information can be used to enhance decision-making.
The program has helped to change the culture as the program
participants take the information into the different business units
where they use their new skills.

• The leadership team has established a relationship with a local

university that includes enterprise risk management in its
curriculum. The senior managers provide the university with job
descriptions for available positions for graduates, and the university
feeds those opportunities into its pipeline of talented students that
already have enterprise risk management knowledge.
• The operating model of ambassadors has been continued and is
now embedded so that unit leaders better understand the risks to
the business objectives of their individual units. Many of the
ambassadors now think differently about the business and have
consequently been elevated in their levels of authority.
These three initiatives have allowed the leadership team of the
Department of Local Enterprise to add enterprise risk management
skills and capabilities to the list of required skills for succession
planning.

Key Observation

Discussions that specifically focus on emerging risks and risks from the external
environment can help an organization understand important disruptive events.

Russ also recognized that the business units needed to embrace risk
management and embed it into their operations if they wanted to
receive timely risk information to inform decision-making and avoid
issues such as the one related to real estate permits. To help support
this practice, leadership established a series of operating standards
that all the units are expected to meet. These standards provide
enough flexibility so units can implement risk management effectively
while still retaining consistency across units. The department uses
peer review as one method of evaluating the competence of the staff
directly responsible for risk management and whether the units are
achieving the standards. Ambassadors review the work of other
ambassadors and provide feedback on how capabilities can be
enhanced. Aggregate feedback is also provided to inform topics for
enterprise-wide training.

Leveraging Culture Results in Enhanced

Performance
Together, all of these changes to enhance the culture and focus on
risk awareness created an environment in which employees felt
empowered. The result was their finding a solution to the original
backlog problem. The focus on the desired behaviors and culture
allowed the department to enhance—not inhibit—their ability to
identify and communicate risks in the entity. Now the leadership team
is better able to identify and respond to entity-wide risks before they
became national news.
4 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
5 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
break

4. Culture in a Financial
Services Company

Industry Context6
Financial services companies offer a wide variety of financial products
to customers who want to manage their financial assets. These
companies range from local credit unions to global institutions.
Customers vary from individual retail clients to large organizations
with sophisticated financing requirements. No matter what the size
and scope of a financial institution, its complexity of products,
operations, and balance sheet management is derived from its
mission, vision, and strategy and influenced by the prevailing
economic and regulatory climate. Regional banks, in particular,
provide the financial lifeblood for the area in which they operate,
supporting communities, industry, and small businesses in growing
localized economies and creating jobs.

Financial services entities may be influenced by any or all of the

following external factors:

• Regulatory scrutiny and heightened expectations of staff conduct,

lending and sales practices, and the effectiveness of enterprise risk
management programs.

• The health of the local economy, which typically is strongly

correlated to the ability to increase deposits and lending activity
and is affected by financial downturns.
• Economic implications from the distribution of wealth and by
institutions financing new opportunities and businesses.
• Disruptions to the traditional banking models as new technology
 becomes available (e.g., e-banking).
• Significant capital and liquidity requirements imposed by regulators
in order to solidify the financial foundations and resilience of
financial institutions.
• Social expectations of corporate philanthropy and support of
community causes.
They may also be influenced by the following internal factors:
• The need to manage new and increased capital requirements
imposed by regulators.
• Competition for talented employees in new areas such as e-
banking, model development, and credit risk management to
support initiatives and respond to changes in the market.

• Stable, long-standing relationships centered on understanding

customers’ businesses, risk profiles, and capacity to meet their
financial obligations.

• A relationship-based approach to lending that relies increasingly on

qualitative information from customers, given the availability of
audited financial statements, tax returns, or other verifiable
information.

Key Benefits of Enterprise Risk

Management in the Example
This example shows how a financial services company relies on its
culture to increase the range of opportunities. It identifies
opportunities to realign internal operations and customer interactions
with its culture in order to promote its long-term financial success.

Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 3: Defines Desired Culture–The organization defines the
desired behaviors that characterize the entity’s desired culture.

• Principle 4: Demonstrates Commitment to Core Values–The

organization demonstrates a commitment to the entity’s core
values.
• Principle 5: Attracts, Develops, and Retains Capable Individuals–
The organization is committed to building human capital in
alignment with the strategy and business objectives.

Aspects of the following principle are also demonstrated:

• Principle 6: Analyzes Business Context–The organization considers

potential effects of business context on risk profile.

Facts and Circumstances7

Broad Bridge Bank was founded 120 years ago. This regional bank’s
brand is based on a simple principle of serving the towns and
business centers in the area: “We are at the heart of our community.”
It currently has $950 million in assets and approximately 30,000
customers. Customers range from retail to small commercial,
industrial, and agricultural businesses that rely on the bank for
working capital and related purposes.
The bank has twelve branches and introduced e-banking services
nine years ago. The move to e-banking reduced some overhead
costs and provided greater transparency of the behaviors and
financial health of its customers. Bank managers have autonomy to
tailor branch operations to their community needs, accept new
customers, authorize lending decisions up to a certain value, and
refinance existing financial arrangements with approved customers.
Many bank managers pride themselves on knowing their customers
well and offering personalized service. As one manager puts it, “the
bank succeeds when our customers succeed.”
During a recent financial crisis, several things happened that affected
the bank:

• Deposits and lending activities reduced dramatically as smaller

businesses struggled to survive the economic downturn.
• Many small businesses that relied on their homes and other
property as the main source of collateral were adversely impacted
as property values plummeted, increasing risk to the bank.
Collateral requirements of new and existing customers started to
become more stringent as result.

• Regulators began to scrutinize the bank’s lending practices and

capabilities in assessing the creditworthiness of customers.

Broad Bridge Bank responded to these observations by moving away

from qualitative assessments to more quantitative, verifiable sources
of information and introducing more standardized assessment
practices. The authority of bank managers to authorize new loans and
other transactions was curtailed.
In addition to changes in banking practices, Broad Bridge Bank
moved to offset rising costs and improve efficiencies by:

• Reducing staff and branch hours.

• Changing performance targets that emphasize transactions with
higher fees or lower processing complexity and associated costs.

• Increasing on-line services to standardize processing workflow and

reduce overhead costs.
• Reducing staff benefits and incentives.

• Reducing involvement in community activities, investments, and

philanthropy.
Figure 4.1 illustrates the impact over several years of the bank’s
decision to diversify the asset base to have a larger proportion of
lower-yield, less-risky assets.

Other relevant facts include the following:

• The board of Broad Bridge Bank, which meets quarterly, comprises

seven independent directors with backgrounds in finance, banking,
and law. Only three of the directors have lived or worked in the local
area. The bank has chosen not to establish separate sub-
committees and is governed by its board charter. The charter
assigns governance and oversight responsibilities to the board in
accordance with its mission, vision, and core values. Board
directors are limited to a maximum of three terms, each lasting four
years.

• The board recently appointed a new director, Betty Fund. She is a

member of the community and local chamber of commerce, and
was previously the financial director of a local business franchise.
She was chosen to strengthen ties between the board and the local
communities that the bank serves.
• In accordance with regulatory requirements, the board has
appointed a chief risk officer (CRO), Tyler Mann, who reports
directly to the board. Tyler has delegated authority to design and
implement a suitable risk management framework.
Discussion
Before attending her first board meeting, Betty Fund asked Tyler
Mann to prepare a report outlining the portfolio view of risk given the
performance of the bank. The report highlighted the following:
• There is increasing disparity between the expectations of
regulators, shareholders, the community, and bank customers.
• Competing priorities create confusion among leadership and lead to
inconsistent decision-making.

• Lending practices and ratios are affecting the economic recovery of

the local areas the bank services.
• Lender distress is increasing, as evidenced by late repayments and
defaults.

• The number of complaints and adverse social media postings about

staff interactions with bank customers is on the rise.

• Market share has started to diminish as customers move to new,

competitive entrants in e-banking.
• Staff turnover has increased, and the bank has experienced
difficulties in attracting new staff in targeted areas such as IT
resources, compliance, and credit risk management.
The report concluded that while efforts to secure the financial future
of the bank have been successful in achieving the business
objectives relating to financial safety and soundness, greater risk now
existed in the achievement of business objectives relating to
customer satisfaction, market share, branding, and innovation. As
well, in the longer term, the risks to these other objectives were likely
to eclipse the financial safeguards introduced by the bank and impact
its pursuit of its mission and vision.
Defining Desired Behaviors
At the quarterly board meeting, Betty asked Tyler to present his
findings from the report. Afterwards, the board concluded that the
bank needed to renew its focus on its mission, vision, and core
values, and asked the management team to put together a plan of
action to present at the next board meeting.
The management team decided on an approach that would help
them set their priorities. They began by defining desired behaviors in
accordance with mission, vision, and core values. They also
undertook an enterprise-wide assessment of the existing culture to
identify where behaviors may have deviated or where changes were
required. Their plan of action is illustrated in Figure 4.2. They also
implemented mechanisms for monitoring future changes.

Following the analysis, management defined its priorities for

implementing changes. They began by alerting staff that they would
be assessing current bank operations, including lending and sales
practices, customer service, and back office operations. The goal
was to identify potential risks and their root causes and propose
management actions. In an email to the bank’s staff, the chief
executive officer reaffirmed his commitment to the core values of
Broad Bridge Bank and assured staff that they would be free from
retribution if they came forward with any concerns. A series of staff
and team meetings were scheduled for the following weeks. Meetings
were held in informal settings and were led by members of
management, not by the group team leader. This format allowed staff
to be more comfortable in raising their concerns.

Management used the following statements to gauge reactions and

obtain insights from staff during the meetings:
• Our core values are clearly understood.
• Policies and procedures provide clear guidance for expected
behavior.

• Decisions are made in line with our core values, even in the
absence of a defined process or policy.

• My leader does not compromise compliance and good risk

management practices in pursuit of sales targets.
• I have a clear understanding of what is expected of me.
• I am encouraged by my leaders to report issues and concerns.

• I can articulate how my role fits into the bank’s objectives.

Key Observation

To analyze observations and assess the impact on performance, management groups

the findings by objective, not by risk type, to better identify where risks are either
occurring or changing in severity.

After this exercise, the management team reconvened to analyze

what they had learned from the employees, which they summarized
as follows:

• Staff were bearing the brunt of customer frustration in response to

more stringent loan application processes, shorter branch hours,
and reallocation of client portfolios from long-standing relationship
 managers.
• Bank managers felt less empowered to make decisions and help
customers most effectively. As one manager stated, “I used to help
my customers build better businesses. Now I hand them a form to
fill in.”
• Customers were posting complaints about the bank’s customer
service on social media, stating that Broad Bridge Bank had turned
its back on its customers and its community.
• Several larger clients had been interviewed by the local press and
admitted that the lack of support from Broad Bridge Bank was
impairing their ability to grow their businesses and create jobs in the
area.

• Staff were aware of the bank’s brand, but that had not been
translated into policies or other tools to help with decision-making.
Consequently, inconsistent decisions were being made concerning
underwriting, budgeting, and other operational matters.

• Staff were unsure how performance targets and incentives were

determined given the competing objectives of being financially
successful while meeting the needs of the community.

In response to what they learned, the management team prepared a

plan to address how the core values of the organization should be
strengthened and integrated into day-to-day operations. The plan
reaffirmed management’s commitment to the mission, vision, and
core values of the bank as follows:

• Mission: Support the economic growth and foster financial

prosperity of our community through the provision of banking and
financial services.

• Vision: Be the most trusted business advisor and bank of choice for
our community.
• Core values: We act with the utmost integrity and professionalism,
providing the highest level of customer service and honoring our
responsibilities we have to our customers, staff, and community.
The plan has four major sections that are in line with the strategic
plan, business objectives, and core values:
1. Demonstrating leadership.
2. Providing excellent customer service.

3. Improving internal operations.

4. Building human capital.

Demonstrating Leadership
Management implemented training modules specific to the mission,
vision, and core values, and through this scenario-based training they
enabled personnel to better understand how individual expectations
drive desired behaviors throughout the bank. For example,
relationship managers were given a scenario of receiving a financing
application from a long-standing customer who did not meet all of the
revised quantitative information requirements. Training was provided
on what other information could be relied on to meet the regulatory
requirements and how to decide whether to approve the application
that was in line with the bank’s core values and risk appetite. Staff
were also given guidance on how to work collaboratively with clients
to strengthen applications where needed.

Management set for themselves the expectation that they would

embed the values and desired behaviors in all future
communications. The values and behaviors would be front and center
in leading the organization to be aligned with strategy, risk, and
performance. They also developed new board-level reporting metrics
related to risk, performance, and culture, including:
• Community engagement indexes.
• Customer satisfaction and loyalty.
• Employee empowerment and commitment.
The intention was to join these to existing financial, market share,
regulatory compliance, and efficiency metrics to form a more
comprehensive balanced scorecard in assessing the bank’s
performance and risk profile.

Providing Excellent Customer Service

Having reviewed customer complaints and considered the
experiences described by branch staff and call-center team
members, the bank decided to reinstate the delegation of authority
that had been in place before the financial crisis. This meant that
those employees who interacted directly with customers would once
again be making the majority of day-to-day decisions, approving
applications by new customers, and changing lending limits and
refinancing terms. Of course, the expectation remained that all
decisions must still align with the bank’s risk appetite and
performance targets.

Branch operations were also reviewed. Where appropriate, branch

opening hours were extended to mirror the needs of small businesses
and rural communities. An analysis of the walk-in traffic confirmed
that the costs of keeping some branches open is offset by the
increasing banking activity and directly correlated to customer
satisfaction scores and brand perception within the community.
The bank also launched its “customer first” campaign to encourage
relationship managers and bankers to spend more time with their
customers and to better understand their businesses. Managers were
encouraged to make site visits and develop a communication plan for
all clients to ensure ongoing contact, anticipate future needs, and
identify potential issues. One objective of the campaign was to get
ahead of clients experiencing difficulties and come up with alternative
financing options before defaults took place.
Improving Internal Operations
The bank also turned its attention to its internal operations. While it
had progressively updated policies and procedures to meet new
regulatory requirements, it had not reviewed the impact on its ability
to adhere to its core values. The bank therefore undertook a modeling
exercise to determine the relationship between its lending practices
and subsequent economic growth. That is, it researched the impact
of banking activities on sales, revenue growth, and job creation for
local businesses. Based on what they learned, the bank revised its
underwriting and credit risk management policies to clarify types of
qualitative information they could rely on to support more consistent
lending decisions by relationship managers and lending staff.

Additional training was offered to all staff to reinforce expected

behaviors and compliance with policies and procedures. The bank
also developed a program of ongoing training so that the growth and
development of employees would continue to be integrated with the
established values and behaviors.
Finally, a full-time community relations advisor was appointed to
promote stakeholder interests. The role includes identifying
opportunities for the bank to get involved in community initiatives and
philanthropic investments. To that end, the advisor now works closely
with the heads of retail and commercial banking as well as the
customer care teams to promote more effective community
engagement.

Building Human Capital

The bank integrated the values and desired behaviors into the human
capital life cycle, which includes recruiting, performance
management, and termination.
New employees are now required to complete the training modules
(mentioned above) to promote the bank’s values, and behaviors are
communicated and understood from the onset. The bank reinforces
its values and desired behaviors by circulating periodic newsletters to
highlight new policies and processes and remind employees of their
personal responsibilities. Culture is reinforced through required
annual training for all employees.
The values and desired behaviors have also been integrated into
annual performance reviews, which are the basis for evaluating and
compensating team members. Every role in the organization is
measured against the common set of desired behaviors. Adherence
to risk-related procedures is part of the review.

Broad Bridge Bank also decided to review its incentives program and
consequently modified the compensation structure to focus on long-
term sustainable performance in line with core values, rather than
short-term performance. They made adjustments to include
performance incentives to recognize positive risk management
behaviors, and mechanisms that trigger bonus forfeiture in the case
of reckless risk taking. By integrating risk metrics into the employee
compensation program, management demonstrated its commitment
to promoting desired behaviors of performance and risk. Connecting
compensation and risk-adjusted performance helped create
outcomes that aligned with the company’s portfolio view of risk. The
rewards and consequences demonstrated that risk management is
everyone’s responsibility.
Following each performance evaluation, management now
establishes performance goals with employees for the upcoming
year, embedding enterprise risk management practices and
capabilities into the achievement of those goals. Accountability for
risk management responsibilities is clearly defined and employees are
required to fulfill risk-related objectives as part of their annual goals.
Management has also established individual and unit-level
performance measures, incentives, and rewards, embedding the
values and desired behaviors into the process. Customer satisfaction
measures have been included in an effort to maintain a customer-
centric posture and incorporate customer expectations into the
process.

Ongoing Review
Six months after the initial review and before the next analyst briefing
with investors, Betty Fund requested an update from Tylor Mann on
how the changes in culture had affected performance. While the
culture had not completely changed, there were some measureable
impacts:
• Walk-in traffic during extended opening hours remained high in
remote branches as customers looked to complete their banking at
the beginning or end of the day’s trading hours.
• Profitability and efficiency ratios deteriorated slightly after the initial
outlay of costs in implementing management changes but have
since stabilized.

• Credit file reviews had uncovered less variability in lending

decisions with greater understanding by lending staff on reviewing
and approving applications and transactions.

• The number of customer complaints had not changed, but

resolutions were being achieved 18% faster.
• The bank’s social media platform was once again focused on its
community initiatives and activities and was no longer being used
by customers as a means to communicate their dissatisfaction.
• The community advisor reported strong correlation between the
provision of banking services and growth of new jobs in local
counties. Further, the advisor was working with relationship
managers to capture more qualitative data for existing customers to
support their future banking needs.

Key Observation
 Review activities should account for the time horizon of the entity’s strategy and
business objectives as well as any associated assumptions.

Refocus on Culture to Meet Objectives

When Broad Bridge Bank identified that the actions they were taking
to meet their financial objectives were impacting their customer
service objectives, they recognized the need to update their core
values and focus more on meeting customer service objectives. The
bank’s directors and chief risk officer reinforced the need to make
decisions that considered the full spectrum of risks, not just the
potential financial impact. With a refocus of the culture on all of the
bank’s goals, decisions are now being made that balance the
customer, the community, and the financial returns. And by having a
complete understanding of the risks to all of these goals, the bank is
now better able to identify opportunities to attain each of them.
Tylor summarized the results of the changes by saying that while
some of the actions taken by management had put additional
pressure on the bank’s financial results and efficiency ratios, the
bank’s reputation had already started to improve in the eyes of the
community. Living the core values of the bank is now seen as integral
to the long-term strategy and will be highlighted to analysts and
investors alike.

6 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
7 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
break

5. Strategy and Objective-

Setting in an Energy Company

Industry Context8
Energy sector entities include those that are involved in the
exploration, production, or management of resources such as oil,
gas, and coal, as well as others that service these industries. Entities
are usually divided into three major components: upstream,
midstream, and downstream:

• Upstream entities find and produce energy commodities such as

crude oil and natural gas.

• Midstream entities process, store, market, and transport

commodities.
• Downstream entities refine, distribute, and retail energy
commodities.
Energy entities may be influenced by any or all of the following
external factors:
• Political intervention, which is often driven by the perceived
economic value (jobs) versus the social and environmental
considerations of any project and often gives rise to significant
regulation.
• Economic performance that can be strongly influenced by changing
commodities prices, such as crude oil and natural gas, and be
sensitive to changes in consumer demand.
• Social values, such as the call for clean energy (e.g., electricity) and
the health and safety concerns emanating from energy exploration
 and distribution methods that may drive stakeholder activity.
• Technological advances in extraction, refinement, and distribution.
• Legal and environmental considerations related to extraction and
distribution.
They may also be influenced by the following internal factors:
• The importance of access to capital to maintain the viability of the
entity.

• The challenge of securing skilled labor for operations, sometimes in

remote locations.

• Processes to maintain safe and efficient operations that comply

with all laws and regulations.

• Technology that supports operations.

Key Benefits of Enterprise Risk

Management in the Example
This example demonstrates how enterprise risk management, applied
in the setting of strategy, helps to increase the range of opportunities
and the allocation of future resources, and improves overall
performance by reducing variability in carrying out the chosen
strategy.

Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 6: Analyzes Business Context–The organization considers
potential effects of business context on risk profile.
• Principle 7: Defines Risk Appetite–The organization defines risk
 appetite in the context of creating, preserving, and realizing value.
• Principle 8: Evaluates Alternative Strategies–The organization
evaluates alternative strategies and potential impact on risk profile.

• Principle 9: Formulates Business Objectives–The organization

considers risk while establishing the business objectives at various
levels that align and support strategy.

Facts and Circumstances9

A national downstream provider of oil and gas, Delta Company, has
been operating for over fifty years and is publicly traded. It is
regulated at the federal level, although local governments also have
input on significant infrastructure developments. The company has a
solid safety record, with only minor leaks in the distribution system in
recent years. The company has a mission that refers to the
acquisition and delivery of safe, reliable oil and natural gas in a
sustainable, cost-effective manner.
Over the years, Delta has generated consistently strong earnings, and
in the past five years it has been rated as “outperform” by many
analysts based on its earnings history, dividend policy, and safety
record. Delta’s management and board are eager to maintain this
rating, and they recognize that larger capital requirements, especially
those that may challenge the dividend policy, could trigger a
downgrade in that rating.

The organization is keenly aware that it has little ability to influence

demand for its products. The company is generally expected to
supply products to meet any level of demand. With current
expectations of growth in consumption, capital investment may be
needed unless efforts to influence demand can be put in place. With
this in mind, Delta is in the process of deciding whether to move from
traditional gas meters to smart meters.10
Gas Consumption
Current daily consumption of gas typically follows a pattern as
illustrated in Figure 5.1, which shows that the demand generally
hovers around 50% of the current distribution capacity. During heavy
periods of demand this can rise to 70% of capacity. Delta does not
wish to see demand exceed 85% of its capacity to deliver. As
demand increases closer to the capacity, the company will have to
consider adding costly infrastructure. In the current scenario, when
there is heavy demand, the usage is trending closer to capacity.

Discussion
Linking Risk Appetite to Mission and Vision
Senior management, as part of their annual review of risk appetite,
met on several occasions to discuss overall risk appetite. Individual
views on what constitutes acceptable risk taking for the business
were expressed, compared, and used as the basis of articulating the
overall risk appetite. There was strong consensus that the company
has always taken a conservative approach when dealing with
significant change that could introduce new risks or elevate current
risks to safety. This approach has always been considered prudent
given the nature of the product, the overall mission, and the
assessment of the maximum amount of risk Delta can absorb.
However, Delta is willing to accept slightly greater risk when
considering ways to improve customer service and overall financial
performance.
Management has chosen to portray risk appetite through the lens of
the key stakeholders: customers, employees, regulators, and
suppliers. By understanding what matters to the stakeholders, the
managers are better prepared to make decisions that align with those
views and reduce unintended challenges.

As they embarked on this effort, the organization initially considered

the impact on stakeholders of shifting to smart metering, comparing
the pros and cons, outlined in Table 5.1.

Based on what they found, the organization communicated its risk

appetite as follows:

Delta Company will pursue innovation where it leads to improved

customer service and efficiency in operations provided unless such
innovation potentially elevates the safety concerns or creates
significant disruption to business operations. Innovation that
creates significant concerns about ongoing financial performance
 will be considered only where customer safety risks are
unacceptably high.
This risk appetite is cascaded through the entity, becoming more
focused for each department. (Note: As this example is focused on a
decision that has an impact on strategy, examples illustrating risk
appetite for a division or business unit are not shown here.)

Choosing a Strategy for Meters

The company had not upgraded its gas metering infrastructure in
many years, relying on traditional diaphragm meters for its residential
customer base. These meters are relatively inexpensive to produce
and install and generally have a long life expectancy. However, they
fail from time to time, causing customer supply to be cut off. Further,
they must be read manually, and they only capture gas usage at the
time of reading.
There are several factors the company needed to consider when
developing a new strategy for meters. First, the current infrastructure
did not allow the organization to manage consumer consumption
patterns, so it did not have the information it needed to implement
approaches that could change consumer behavior. For instance,
implementing peak period billing provides an incentive for customers
to shift discretional gas usage to non-peak periods.
While the company had objectives relating to overall consumer
consumption, it could not develop acceptable levels of variation to
that objective under the existing information limitations. To address
this concern, the company identified an opportunity to use smart
metering technology, which would allow consumers to better manage
their usage. Delta explored a “go, no-go” decision on moving toward
this opportunity. Central to this decision was the infrastructure cost
associated with upgrading to the smart meters, the cost efficiencies
gained by not having to read meters manually, and the opportunity to
capture consumption data that was not currently available to the
company. Another key consideration was the safety concern of the
radio frequencies emitted by smart meters. Further, with expected
growth rates, Delta knew it might need to invest in added
infrastructure to meet growing demand.

Analyzing Alternative Metering Strategies

The company focused on two options: 1) retain the current
diaphragm meters, and 2) convert to new smart meters. In
considering these two options, the company reviewed the following
risk categories relating to its objective of managing natural gas
demand:
• Capacity: the extent to which system capacity expansion would
help satisfy increasing demand.

• Customer acceptance: the extent to which customers would

embrace new technology.

• Customer behavior: the extent to which customer behavior would

change once smart meters were installed.

• Economic: the extent to which smart meters would be economically

viable.
• Regulator/Government: the extent to which new restrictions on the
entity might be imposed or removed.
• Resources: the extent to which resources would be able to operate
the new technology.

• Safety: the extent to which safety would be compromised.

• Supplier performance: the extent to which supplier performance
would affect company performance.

• Technology: the extent to which designed technologies would

function as intended.
 Key Observation

Risks in the initial assessment consider all stakeholders.

In order to meet the objective of managing gas demand,

management developed an initial profile for each of the two options
following these broad risk categories. As this profile was being used
for the initial consideration of the merits of moving to smart metering
technology, the organization completed the exercise on a qualitative
basis only. Should management decide to proceed with smart
meters, they may further refine this profile using quantitative
information when they install the meters.

Key Observation

Using the same objective for both scenarios increases comparability between the
resulting risk profiles.

Each of the risk categories contained within the profile were reviewed
by several departments in the company, most importantly by finance,
human resources, marketing, media relations, operations, and
strategy. Once management was comfortable that there was
consensus on the risk ratings, they were able to develop a
comprehensive risk profile for each option. Figure 5.2 shows the level
of risk relative to varying levels of consumer consumption for both
types of meters. The performance measure is shown as percentage
demand of natural gas system capacity. Delta is able to operate for
short durations above its capacity by accessing gas reserves from
other neighboring utilities.
Figure 5.3 combines the information for traditional and smart meters
in a graph comparing the risk profiles. It shows that the traditional
meter has less risk at the current target level of demand, but as
consumption increases, the overall amount of risk increases. Delta
has little ability to change overall consumer demand, but smart
metering provides a mechanism to change customer behavior, which
impacts the demand. At the level of upper performance tolerance, the
risk associated with the two types of meters is the same (Point A).
The profiles show that as demand increases beyond the upper
performance tolerance, the risk associated with the smart meter is
lower than the traditional meter. Some of the risks that change at the
upper demand levels for the traditional meter are customer behavior,
regulator/government, supplier performance, and resources.
Management decided to recommend moving to the smart meter
technology, based on the overall impact on capacity demand
(performance). Consequently, they built a full business case to
present to the board and, ultimately to the regulator, to approve the
change to smart meters. After meeting with management, Delta’s
board agreed with the recommendation.
This approach also addressed a concern about capital investment
needed to expand capacity. At current growth rates, Delta knew it
would need to expand system capacity over the next ten years.
Implementing smart meters created the ability to shift demand, which
would defer this capital expansion. Management believed that with
proper planning and oversight, the company could successfully
implement such a strategy. Installing smart meters would allow the
company to allocate capital resources based on the risk appetite
developed. They were also aware that similar companies in other
regions might be willing to share experiences in implementing these
programs (because they weren’t direct competitors). With all this in
mind, the senior management team, with the help of human
resources, began to identify individuals to hire or assist with the
project.

Cascading Business Objectives

Delta developed many supporting objectives to meet this high-level
objective of implementing smart meters. While not shown in this
example, the company considered questions such as:

• Do we have sufficient financial capital necessary to achieve the

objective?
• Do we have sufficient staff to carry out the tasks necessary to
achieve the objective?
• What processes, systems, or supporting technologies may be
impacted by setting this objective?

• What would happen if the company performs 20% or 30% above

the goal being set for this business objective?

• What would happen if the company performs 20% or 30% below

the goal being set for this business objective?
Figure 5.4 shows three entity-level objectives developed by
management and cascaded into various divisions, relating to project
management, information technology, and human capital. These
divisional objectives helped to address a risk to the entity-level
objective. In addition, the figure shows how the organization identified
risks to these objectives at each level.

Having considered the potential risks for the various business

objectives, Delta was confident they could achieve each of them.
Figure 5.5 follows the path of the first objective, “Identify a vendor
suitable for implementing smart meters,” and shows that Delta has
set acceptable variations in performance for these objectives.

As Figure 5.5 illustrates, Delta initially set the range of acceptable

variation for identifying qualified vendors at a minimum of three and a
maximum of eight. But upon review, the senior managers became
concerned that the specifications may be overly restrictive and could
exclude some potential vendors. Management debated lowering the
qualifications and potentially reducing quality and increasing
operating costs against the benefit of creating greater competition for
the contract. Following this discussion, the organization revisited the
qualification requirements, reducing some specification levels to
allow more vendors to prequalify.

Key Observation

Once the objectives are set, the conversation shifts to acceptable variation in
performance. Risk appetite is reflected in the setting of objectives and goals.

Next, the organization combined the information into a simple

depiction of the entity-level objectives, goals, and acceptable
variation and how the objectives cascaded into the business. Figure
5.6 illustrates how this was done for the first business objective on
project management. The other two objectives (in gray) would be
completed in a similar manner.
Looking Forward
From the outset, Delta set out to improve its ability to pursue new
opportunities, to enhance its allocation of resources, and to improve
overall performance by reducing variability in carrying out the chosen
strategy. Management gained confidence that they could foresee the
risks associated with adopting new smart meters versus retaining the
older-style meters. Those risks were considered in terms of
maintaining consistency with the overall mission and how the
decision might be viewed by its stakeholders—all cast through the
lens of risk appetite. Equally important, management came to
understand that it could reduce variability in demand by changing the
overall metering approach and deploying current resources more
efficiently instead of focusing more resources on existing processes.

Key Observation

The business objectives developed form the basis of the risk assessment considering
the risks to the achievement of each objective.goals.

8 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
9 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
10 This example has been simplified to focus on one just important strategic initiative. A
typical midstream company would likely have more than one initiative in development at
any time.
break

6. Strategy and Objective-

Setting in a Not-for-Profit
Entity

Industry Context11
The not-for-profit sector consists of a wide variety of entities
dedicated to furthering a particular cause or advocating a particular
point of view. These entities are typically divided into two groups:
community-serving and member-serving. Community-serving entities
usually focus on delivering human services programs or projects, aid
and development programs, medical research, education, and health
services. Their reach may be local, regional, or international. Member-
serving entities include mutual societies, cooperatives, trade unions,
credit unions, industry and professional associations, sports clubs,
and advocacy groups.

Not-for-profit entities may be influenced by the following external

factors:
• Political stability, required to gain access to infrastructure and local
administration, such as permits.
• Government support to provide grants for the types of work that
these organizations perform.

• An understanding of what drives disposable income and corporate

profits, both of which are important for this sector as much of the
funding is donor generated and there is significant competition for
funds.
• The emotional aspect of giving, which affects what causes donors
 respond to.
• Advances in technology that allow organizations to deliver services
more efficiently.

• Regulations on the delivery of aid from both the country the

organization is headquartered in as well as where aid is provided
(e.g., medical volunteers must comply with any licensing regulations
governing their profession).
They may also be influenced by the following internal factors:

• Capital needs for equipment and machinery.

• The right mix of permanent staff and skilled and non-skilled
volunteers.

• Effective processes for training to enable efficient and effective

response.
• The effectiveness and efficiency of response dependent on access
to current technologies.

Key Benefits of Enterprise Risk

Management in the Example
This example demonstrates how enterprise risk management, applied
in the setting of strategy, helps to improve resource deployment.

Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 6: Analyzes Business Context–The organization considers
potential effects of business context on risk profile.
• Principle 7: Defines Risk Appetite–The organization defines risk
 appetite in the context of creating, preserving, and realizing value.
• Principle 8: Evaluates Alternative Strategies–The organization
evaluates alternative strategies and potential impact on risk profile.

• Principle 9: Formulates Business Objectives–The organization

considers risk while establishing the business objectives at various
levels that align and support strategy.

Facts and Circumstances12

Echo Relief is an international not-for-profit entity operating in fifty
countries in both permanent and temporary locations. Its focus is
providing food, shelter, healthcare, and education to needy and
displaced persons around the globe. In responding directly to these
humanitarian needs, Echo relies on volunteers. In fact, approximately
90% of the personnel are volunteers and 50% of those return to work
on multiple projects. The majority of volunteers are retired military
personnel, doctors, dentists, nurses, emergency medical technicians
with trauma experience, teachers, and people with prior disaster relief
or aid experience. New volunteers are always paired with a “buddy”
who has previous experience with the organization.
Echo Relief receives funding primarily from individual and corporate
donors with a smaller portion coming from government grants for
specific projects. Most donors designate donations to be used
“where needed most,” which provides flexibility to applying
resources. Echo uses 14% of donated funds on administrative costs,
and the remaining 86% goes to programs and projects (80% is
generally considered as efficient for a not-for-profit entity). The
percentage assigned to programs and projects can be a differentiator
when competing with other entities for donors, some of which are
large international entities and religious organizations.
The mission statement is “Echo Relief helps meet the needs of
people who are victims of war, poverty, natural disasters, disease,
and famine.” To perform on this mission, Echo provides relief for
ongoing needs relating to disease and famine, and offers immediate
response for disasters. In a recent strategy review, senior leadership
focused on whether they wanted to concentrate their resources on
the short-term response projects or the long-term community
transformation projects.

Discussion
Linking Risk Appetite to Stakeholder Goals
As a part of regular performance reviews, Echo Relief found that it
was making inconsistent decisions about deploying its resources to
different projects. In some cases projects were accepted that
stretched both volunteer and monetary resources. Consequently, the
board of directors decided that management should develop a risk
appetite statement. Echo has several stakeholders and the board
wanted to include perspectives from permanent staff, volunteers, and
donors in articulating the overall risk appetite. The discussion
centered on three core areas of concern:
• Staff and volunteer safety: because Echo Relief is mandate driven
and the projects accepted are often in fragile and conflict-affected
areas, they are willing to take on a moderate amount of risk relating
to the safety of staff and volunteers.
• Misuse of funds: the need to be good stewards of donor funds
requires a low appetite for risks relating to misuse of funds.
• Financing new programs: given the donor history, with a large
portion of funding coming from the general public with no
restrictions, Echo Relief has a higher appetite to take on risk relating
to financing new programs. It does not need to run targeted funding
campaigns and is able to fund new, innovative programs.

After the discussion on risk appetite, Echo Relief wrote the following
risk appetite statement for the entity overall:
Echo Relief will pursue new programs that enhance delivery of
services to those in need within our financial ability. We will accept
moderate risk to the safety of staff and volunteers as we respond to
disasters. In order to maintain good stewardship of donor funds, we
have a low appetite for risks related to misuse of funds.
In order to cascade the understanding of the statement, management
portrayed risk appetite in greater detail by aligning statements with
the stakeholders noted above. For instance, the part of the risk
appetite statement relating to staff and volunteers added clarity on
decisions impacting those individuals. These statements were cast as
shown in Figure 6.1.

Choosing a Strategy for Delivering Aid

In recent years, Echo Relief has seen an increasing global need for
the type of aid they deliver. This increase was identified through a
trend analysis of the number and types of projects that have been
undertaken (and not undertaken) in the last five years. In many cases
the demand far surpasses the supply of available aid. Different parts
of the world suffer from conflict, poverty, and natural disasters,
requiring aid to be delivered through various channels. In the case of
disaster relief, the usual response is to set up a temporary operation
that requires less capital, but that can be hampered by the lack of
infrastructure needed to deliver supplies and materials. In the case of
ongoing relief in response to systemic poverty and widespread
famine, Echo invests directly in communities through schools,
hospitals, nutrition programs, and water sustainability projects that
often require larger capital outlays.

As part of its annual strategy assessment, Echo Relief decided to

revisit the strategies for delivering aid, primarily to determine which
had the greatest impact on the communities they were serving.
Senior leadership focused on two strategies: emergency relief and
disaster recovery. (Previously, Echo provided emergency relief, but
realized they had a larger impact when they arrived after the initial
relief efforts and focused on helping communities rebuild and
respond.)

Analyzing Emergency Relief and Disaster

Recovery Strategies
The initial discussion of the two strategies revealed a third option,
which was to perform both strategies simultaneously. Senior
leadership wanted to understand how the risk profile would change in
that case. The three alternatives were developed to assist Echo Relief
meet its stated objective “to provide recovery assistance to as many
vulnerable or displaced people as possible.” In considering these
alternatives, the entity focused on the following risks as a part of the
risk profile:
• Safety of volunteers: the possibility of harm to staff and volunteers.

• Partner relations: the possibility of no partners with acceptable

 locations to deliver aid.
• Government relations: the possibility of governments either from the
headquarters country or the country receiving aid not allowing the
aid to be provided.
• Misuse of funds: the possibility of funds being used for
unacceptable purposes.
• Human capital: the possibility of not having skilled volunteers.
• Supplier performance: the possibility of suppliers being unable to
deliver supplies to the recovery area.
• Donor engagement: the possibility of donors not donating to the
project.

Key Observation

When developing a risk profile, the element of time should not be included as a factor.

Using these broad risk categories, senior leadership developed an

initial profile for each option to consider the merits of investing in one
of the two strategies, or the two together. The exercise was
completed qualitatively using a scale from 1 to 10, not by developing
a specific quantitative model. Each of the risks noted were reviewed
by several functions in the organization, most importantly by security,
donor engagement, governmental liaison, partner relations,
operations, finance, and human resources. Once leadership was
comfortable that there was consensus on the risk ratings, they were
able to develop a comprehensive risk profile for each option, showing
the level of risk relative to the number of people assisted. Figure 6.2
shows the risk profile for each strategy.
When the three risk profiles are combined on one graph, as in Figure
6.3, their respective risk curves can be compared.
In this example, Echo Relief’s risk appetite is above its capacity.
During discussions, the senior leadership said they were willing to
respond to any situation where people needed help, even if the
funding or personnel is not immediately available, provided that there
is a reasonable expectation that funding can be attained after the
fact.
They also noted that the target performance goal is different for
Options A and B compared to Option C. If either Option A or Option
B were selected, the target would be set at 40,000, and Echo would
likely breach risk appetite once assistance increased into the range of
70,000 to 80,000 people. They noted that with Option C they had the
ability to assist more than twice the people because they would be
maintaining the same number of headquarters staff regardless of the
number of projects. Therefore, the ratio of overhead costs to projects
would go down for every additional project added.
The risk profiles prompted a discussion about performance. Option B
(disaster recovery) has less risk than the other two strategies, until the
number of people helped increases to approximately 60,000. If Echo
were to select Option B, they could move performance from 40,000
to 60,000 people helped with little increase in the risk taken. If they
were to choose Option C, they could potentially help even more
people. Note that the risk profiles do not show a tolerance for
acceptable variation in performance; at the time a disaster occurs,
Echo Relief would determine the lowest number of people aided that
would make the response worthwhile.
Echo Relief ultimately chose a strategy based on the number of
people who they could assist within their risk appetite: Option C.
However, the leadership team recognized the need to monitor funds
and personnel as aid delivery begins to approach 120,000 people at
any given time to make sure they had the ability to continue
operations.

Cascading Business Objectives

After deciding to pursue both strategic alternatives simultaneously,
Echo Relief developed entity-level business objectives to meet this
goal, and these were then cascaded throughout the entity. Then,
each division developed division-level objectives in response to risk
to the entity-level objectives.

Key Observation

When developing business objectives, be sure to consider all the risks identified as part
of the strategy.

Some of the questions that Echo Relief considered as a part of

setting the business objectives were:
• At what point do we evacuate volunteers and staff due to safety
concerns?

• Do we have the appropriate partners on the ground to deliver the

aid?
• What if the government does not allow us access to the damaged
areas?
• What is the best allocation of funds to achieve objectives?

• Does the organization have enough available and capable

volunteers to deliver the aid?
• What are the implications to the organization from a supplier
perspective if there are 10% to 20% more than the target number
of people who need assistance?

• How do we obtain enough donor-generated funds to continue

operations?

Having considered these matters in the setting of the business

objectives, Echo Relief determined they could reasonably expect to
successfully achieve them. Figure 6.4 illustrates how entity-level
objectives cascade to division-level objectives for four divisions of the
organization (partner relations, marketing, supply chain and human
capital). The organization identified risk from the entity-level objective,
and then developed divisional objectives that addressed the entity-
level risk. From there, the organization identified risks to the divisional
objectives.
For the first objective, to identify local partners to deliver aid, Echo
Relief set a target of having accredited partners in or near their fifty
country locations predetermined so when a disaster occurs, or a
community development project is approved, they would know who
they can work with (see Figure 6.5). Considering risk appetite in
developing this tolerance, senior leadership developed a view that
below twenty-five, the organization would not be able to create a
sufficient number of programs to deliver needed services, and
therefore would be outside of risk appetite. Conversely, should that
number of accredited partners rise above 100, efforts would be
spread across too many partners to deliver the intended services.
Next, the organization combined the information into a simple
depiction of the entity-level objectives, goals, and acceptable
variation and how the objectives cascaded into the business. Figure
6.6 illustrates how this was done for the first business objective on
identifying local partners. The other three objectives (in gray) would
be completed in a similar manner.
Refreshing Strategy to Deploy
Resources Effectively
In applying the principles relating to strategy and business objectives,
Echo Relief refreshed their strategy based on their mission and vision.
They considered the risk associated with the refreshed strategy and
developed business objectives taking those risks into account.
Through the process of cascading business objectives from the
entity-level to the divisional level, the organization identified risks to
the strategy at each level, and developed further strategies to
address those risks. Refreshing the strategy allowed Echo Relief to
deploy resources more efficiently and to enhance the value it could
provide to the regions it serves.

11 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
12 Names of organizations and people is this example are fictional, and any resemblance to
actual organizations and people is coincidental.
break

7. Performance in a Consumer
Products Company

Industry Context13
The consumer products sector includes a wide variety of companies
ranging from mass retailers and specialty stores to manufacturers
and distributors of packaged goods, such as food and beverages.
Consumer products companies often seek profitable growth by
expanding business scale and scope while simultaneously
rationalizing operations.
Consumer products entities may be influenced by any or all the
following external factors:

• Political interventions, often driven by consumer safety, and social

and environmental considerations.

• Commodity prices that affect the cost of manufacturing and

distribution.

• Disposable income of consumers, which is a by-product of factors

such as unemployment, wage levels, and inflation.
• Consumer preferences that change rapidly, particularly in the food
and beverage industry (e.g., the trend toward healthier, sustainable
food products).
• Digital consumer engagement that is reshaping the way companies
interact with their customer base.

• Regulations pertaining to climate change, resource scarcity, and

consumer protection.
They may also be influenced by the following internal factors:
• Access to capital to support investments in technology and
research and development, as well as to support mergers and
acquisitions.
• Skilled workers needed for research and development for innovative
products.
• The need to invest in more sustainable, efficient, and effective
processes.

• Technological advances and investments in data analytics to

extract consumer insight and improve cyber security as more
transactions occur on-line.

Key Benefits of Enterprise Risk

Management in the Example
This example shows the benefit of enterprise risk management to
identify and manage entity-wide risks.

Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 10: Identifies Risk–The organization identifies risk that
impacts the performance of strategy and business objectives.
• Principle 11: Assesses Severity of Risk–The organization assesses
the severity of risk.

• Principle 12: Prioritizes Risks–The organization prioritizes risks as a

basis for selecting responses to risks.
• Principle 13: Implements Risk Responses–The organization
identifies and selects risk responses.
• Principle 14: Develops Portfolio View–The organization develops
and evaluates a portfolio view of risk.
Aspects of the following principles are also demonstrated in part in
this example:
• Principle 20: Reports on Risk, Culture, and Performance–The
organization reports on risk, culture, and performance at multiple
levels and across the entity.

Facts and Circumstances14

Friendly Fruit Juice Company, founded in 1996, is a regional family-
owned manufacturer and supplier of fruit juices with approximately
500 employees. Friendly Fruit Juice strives to be the leading beverage
supplier of healthier and tastier juices in the region, and its mission
statement makes this clear:

Our mission is to create and maintain a sustainable company that

embraces product innovation to satisfy customer needs for a
healthier and tastier juice while maintaining community trust.

During its early years, Friendly Fruit Juice considered risk whenever a
significant issue arose. Often, Jamie Doyle, the chief executive officer
(CEO), would create small teams to identify the causes of the issue
and potential solutions. However, as the company grew, Jamie
realized the importance of having more timely and insightful
information for the business. The organization began to shift its focus
from these one-off meetings to integrating enterprise risk
management capabilities into daily business operations, mainly with a
goal of identifying and managing entity-wide risks. As enterprise risk
management has become more embedded in strategic decision-
making, management has increasingly focused on considering
various strategies, and chosen one that best fits the company’s core
mission.
Friendly Fruit Juice takes the time in the monthly senior management
meetings to discuss risk as it relates to the overall performance of the
business. Jamie also spends much more time updating the board of
directors on these conversations and engaging them to capture their
own views.

Note: This example focuses on one business objective only. In

practice, the company would have multiple objectives, and these
activities would be performed over those objectives, and the effect on
the multiple objectives would be analyzed.

Discussion
Every week the marketing department reviews various mainstream
and social media postings to identify changes in customer sentiment
and identify any public issues with the reputation and brand.
Recently, the marketing director, Angarika Kapur, identified an
escalating trend in comments about the company’s juice line, with
many consumers requesting plant-based juices. The director
identified this change in the environment as potentially affecting the
company’s ability to meet one of its stated objectives: “develop
innovative products to meet customer needs.”

At the next monthly senior management meeting, Angarika raised this

issue, and the group discussed the consumer feedback as an
opportunity for Friendly Fruit Juice to develop a new line. They
presented their proposal to Jamie for consideration in the planning
process. After looking at how well this opportunity aligned with the
mission and vision, and considering the potential risks that could
arise by selecting such a course of action, the company decided to
develop a line of plant-based drinks.15
Based on their historical record of delivering new products to market,
Friendly Fruit Juice set an objective to have the plant-based drink
represent 20% of their product line by the end of the first year of
production. This objective cascaded into the organization as shown in
Figure 7.1, which focuses on identifying risks across four main
aspects of the business: procurement, manufacturing, distribution,
and marketing.

Each department discussed the risks associated with the objectives

at their level and then selected their own approach, based on the
initial views of the new goal.

• The Procurement Department, under the direction of Marley Harper,

had an initial view that many risks would be similar to those relating
to procurement of fruit juice, and selected an approach based on
round-table discussions.
• The Manufacturing Department, under the direction of Simone
Jorgensen, also had an initial view that many risks would be similar
to those relating to fruit juice production. She initially conducted an
internal meeting with her department, and they soon realized that
adding a new product line introduced greater complexity to
scheduling. Consequently, they developed more detailed modeling
to better understand the risks of introducing this new product line.

• The Distribution Department, under the direction of Fabien Pisarski,

wanted to take a different approach from the start. They undertook
 a process analysis to better understand what risks could impact
their distribution channels.
• The Marketing Department, under the direction of Angarika Kapur,
felt that they needed more external information. They used a variety
of publicly available data to capture risks, and they ran a series of
focus group sessions with potential users to understand the risks
impacting their ability to generate sales.

Procurement
The Procurement Department was responsible for identifying the raw
materials for the new plant-based juice line. Marley Harper’s team’s
primary objectives focused on obtaining high-quality ingredients at
the best possible price and adhering to all regulations regarding
pesticide usage. They also considered the company’s values and
sourced ingredients from local growers whenever possible (although
this was not a direct objective). They discussed the current business
environment and how it would affect the new juice line. Friendly Fruit
Juice sourced 90% of its fruit from five growers, four of which were
located within 100 miles of the processing plant. Although Friendly
Fruit Juice Company sourced ingredients primarily from local
vendors, it had agreements with vendors from other regions to allow
for the variability of weather conditions, which significantly affect
supply and prices. Of the five local growers, three also were growing
vegetables that could be used for the new line. All five all had strong
records of strictly adhering to government requirements on pesticide
use.

The team identified risks relating to the objectives of the department,

shown in Figure 7.2. They also discussed some of the responses that
were in place across the department to manage these risks, and then
they assessed each risk on a scale of 1 to 5 for likelihood and impact
(a scale developed and recommended by the management team).
The procurement team reviewed the risk ratings, focusing on the
possibility that the shift to plant-based juices would result in higher
costs and impact the financial goals of Friendly Juice Company in
light of the company’s risk appetite statement, “Friendly Fruit Juice
Company is willing to take on risk in pursuit of value as we strive to
be innovative in the development of products to meet our customers’
needs and remain competitive in the beverage industry.” The
procurement team concluded that this shift in production could
impact the achievement of the financial goals, but that the overall risk
to the objective was still within the company’s risk appetite.

Manufacturing
The Manufacturing Department also added the new line as a point of
discussion during its daily production run meetings. Simone
Jorgensen’s team had two primary objectives: meet customer
demand and produce high-quality juices at the best possible price.
The managers and directors of the department discussed the
performance target of having the plant-based product line account
for 20% of sales by the end of the first year. In their review of what
would be required to break down plants into juice, they determined
that no changes to the existing machinery would be needed. They
also discussed the potential of demand being greater than
anticipated and how that might affect production, noting that they
had two manufacturing plants in their distribution area to allow for the
raw materials to be sourced locally, and both plants were located
within a twenty-four-hour drive, which would allow for additional
capacity should there be a problem with any of the machinery used in
production. On this second point, they attained greater confidence
through modeling product flow from procurement through the full
manufacturing process, including the time needed to change
production runs from fruit-based to plant-based production, and vice
versa.
The Manufacturing Department identified four risks associated with
the objectives of the manufacturing department relating to the new
plant-based juice line, as shown in Figure 7.3.

Distribution
The Distribution Department identified two main objectives relating to
the new juice line: get the product into the distribution channels used
by target clients and leverage existing channels for efficiency and
best cost. Friendly Fruit Juice followed a selective distribution model
and focused their distribution channels on specialty retailers for
distribution of their current product line. The distribution for the new
line was anticipated to be similar, with the addition of a few new
vendors. Fabien Pisarski’s team did a process analysis and then
discussed the risks that they were currently managing for the fruit-
based line and how the new line might change those risks or add new
ones. The discussion centered on the ability to meet their two primary
objectives, as shown in the Figure 7.4. The distribution team then
assessed the risks on the scale for likelihood and impact, as shown.

Fabien also brought her knowledge of the risks to the monthly senior
management meeting.

Marketing
The primary objective of the Marketing Department was to generate
new sales for the plant-based juice line. Friendly Juice Company has
focused on specialty retailers for distribution of their current product
line. After the decision was made to develop the plant-based juice
line, Angarika Kapur’s team reviewed information captured from a
variety of publicly available data and the focus group sessions with
potential users to understand the risk in developing a marketing plan.
Once the product launched, the marketing team met weekly to review
the prior week’s sales. As a part of these discussions, Angarika led a
discussion on what could prevent the company from meeting the
objective of the new product accounting for 20% of the sales mix by
the end of the first year. Figure 7.5 illustrates the risks identified.

When combined, the relationship between objectives and risks

becomes apparent, as shown in Figure 7.6.
This view also noted some interesting relationships beyond just risks
to objectives:
• As there is a dependency between two objectives (one relating to
procurement and one relating to manufacturing), the pricing risks to
one of those objectives may impact the ability to achieve the other
and the overall business objective. (This is depicted as “A” on
Figure 7.6.) There is also a third objective relating to distribution
which has a cost aspect and could also impact the ability to
achieve the overall business objective.
• One similar risk was noted by two different groups: marketing and
distribution. Each group also assesses this same risk differently.
(This is depicted a “B” on Figure 7.6.)
Assessing and Prioritizing Risks
Once all the departments identified and assessed the risks
associated with the relevant objectives, Marley, Simone, Fabien, and
Angarika aggregated the information at the enterprise level. That
information helped them to understand how the likelihood and impact
of the risks may change at different levels of the company.

Key Observation

Risk should be considered through the lens of objectives so that resources can be used
efficiently.

To assess the severity of risk on enterprise objectives, they used

information from a review of business plans and budgets; prior risk
assessments; financial, board, and annual reports; customer surveys;
and social media postings. In addition, they used the company’s
historical risk occurrence and publicly available information from
other small beverage companies to determine the likelihood of the
risk occurring.
As an interim step in examining the information, the team
consolidated their respective risk assessments. They recognized that
the consolidation presented more of a risk-centric view rather than an
analysis of the effect of the risks on the objectives. The consolidation
is shown in Figure 7.7 with the severity of each risk color-coded: red
= high; yellow = medium; green = low.
Marley, Simone, Fabien, and Angarika wanted to use the risk
information obtained from the different departments to understand
the effect on the enterprise objectives and determine after
prioritization what risk responses they should employ. To that end,
they discussed whether each business objective was at risk. Three of
the seven objectives required little discussion and they determined
the status of those objectives were the same as the related risks
(either green or yellow).

Key Observation

When assessing the objectives, the risk with the highest severity may not directly
transfer to the objective. The effect on objectives should be discussed.
Procurement
When they discussed the risks to the objective “Obtain high-quality
ingredients at the best possible price,” there was general consensus
that finding the right mix of ingredients would be critical to achieving
a tasty beverage. That meant more ingredients may be required,
which would represent a greater risk to the achievement of the
objective. Further, the dependency on multiple departments
increased the concern over achieving this objective. Therefore, the
team decided to rate the objective as medium (yellow). The second
objective “Adhere to all regulations regarding the use of pesticides”
was rated as medium, consistent with the respective risks.

Manufacturing
When they discussed the objective “Meet customer demand,” they
considered whether the risk that had been measured as high (red)
would translate to the objective being a higher risk. The senior
management team determined that the new quality assurance
process recently put into place across the department had not been
fully considered when assessing the risk, and therefore the severity of
the risks impacting the achievement of the objective was lower. The
second objective of “Produce high-quality products at the best
possible price” was rated as medium, consistent with the respective
risks.

Distribution
The conversation about the objective “Get the product into the
distribution channels used by customers” sparked much discussion
about how it should be measured. Given that the risks to this
objective were assessed as medium (yellow) and high (red), Marley,
Simone, Fabien, and Angarika wrestled with several questions:
• Should we combine the risk ratings for these two risks and use that
for the objective?
• Does one risk warrant more attention at the enterprise level than the
other?
• Considering both risks, what is the overall impact on the
performance for that objective?
They also considered that the risk was assessed differently by
different teams. The initial assessments were viewed as reasonable
for the respective areas. Ultimately they determined this objective
was at higher risk given the contract environment with current
vendors. Many contracts had been recently negotiated and the
marketing department expressed concern with the negotiating
process for several of the vendors. The second objective of
“Leverage existing channels for efficiency and best cost” was rated
as moderate, consistent with the respective risks.

Marketing
Finally, the conversation about the objective “Generate new sales for
the plant-based juice line” had a more diverse risk assessment. While
there was overlap with other objectives and there remained a
lingering concern that a new plant-based line would have targeted
success, the management team remained confident that, overall,
there was a lower level of risk to the department objective.

Overall Analysis
After the discussion, it was determined that the company still had a
reasonable expectation of meeting the business objective and target
of “Develop a plant-based juice product meet customer needs that
represents 20% of the overall product line.” The outcome of all of the
discussions of the objectives and the risks is shown in Figure 7.8.
By approaching the discussion of risks through the different
objectives they may impact, the team was able to determine which
objectives were at greatest risk of not being achieved and the effect
on the overall performance of Friendly Fruit Juices Company.
Specifically, this approach enabled the team to identify:
• Risks that could significantly impact a single objective

• Risks that could have an impact multiple objectives and be

considered as significant as a result
• Objectives that have a greater number of risks

• Dependencies between different risks and objectives that could

influence their rating
 Key Observation

When prioritizing risk, organizations with multiple objectives and interconnected risks will
face a more complicated process. Additional considerations of complexity, adaptability,
velocity, persistence, and recovery should be considered.

Further discussion noted that additional considerations—beyond risk

severity—were needed when determining which risks and objectives
required management’s focus. The establishment of prioritization
criteria was intended to help management select and implement
appropriate risk responses and the deployment of limited resources
based on the risk ratings and the status of the objective. Marley,
Simone, Fabien, and Angarika considered two added criteria:
adaptability and complexity.

• Adaptability was considered from the view that with the company
was embarking into a new product line. Some objectives tied to
launching the new product line were impacted by the same risks
relating to its current product line, such as those relating to pricing
and distribution. However, other objectives could be impacted by
new risks that management would need to address for the first
time, such as the ability to appeal to a broader range of customers
and possible issues with product consistency and quality. Their
confidence in managing new risks to objectives was less than it was
for risks with well-proven responses, and there may be some
refinement needed when managing these risks. Risks that required
greater adaptability or change management efforts were prioritized
above those that did not.
• Complexity was viewed through the perspective of whether some
risks would impact other risks, or whether underperformanceed on
one objective would impeded the achievement of another objective.
While several objectives were viewed as having potential overlap,
three objectives were identified as having important cost pricing
dependencies. These objectives related to procurement,
manufacturing, and distribution and the relevant risks were
 prioritized as a result.
With this added information, Marley, Simone, Fabien, and Angarika
agreed that while the company needed to address all objectives, two
in particular required a more focused attention.
1. The manufacturing objective “Produce high-quality products at the
best possible price” was considered by management as needing
added focus as there were several medium-rate risks tied to that
objective and there were noted dependencies with the
procurement objective “Obtain high-quality ingredients at the best
possible price”.
2. The distribution objective “Get the product into the distribution
channels used by customers” is one of two objectives that is
associated with a red risk and the only objective to be assigned a
red status. While there was one other higher rated risk impacting
the manufacturing objective “Meet customer demand”, the overall
assessed risk to the manufacturing objective was deemed lower,
suggesting that risks to this objective did not require the same
level of attention as the risks to “Get the product into the
distribution channels used by customers”.
In selecting the appropriate responses for the related risks (and
hence objectives) that were identified as the highest priority, the
management team considered the following factors:
• Business context: Risk responses were selected and tailored based
on the current business context for the company. Friendly Fruit
Juice Company enjoyed a strong brand following based on the
quality of the products used. The existing product lines used
organic, locally sourced materials where available.
• Costs and benefits: The strategy of producing a high-quality
beverage using organic, locally sourced materials without additives
could result in additional cost. Leonard Kruit, the chief financial
officer, produced an analysis showing the increased cost of
materials against the potential sales and revenue figures.
• Obligations and expectations: Compliance and regulatory
requirements, stakeholder expectations, and other obligations were
considered. A primary stakeholder for the company is the
consumer. Considering the prioritization criteria, senior
management decided to add two new suppliers to their vendor list
to provide the plant-based materials needed for their new line.
• Risks emanating from the response: New risks that may arise from
selecting particular responses were also discussed. Given the
response of adding two new suppliers for the plant-based
materials, the team considered the potential risks to the current
supply chain and any impacts on the contracts with current
suppliers.
• Opportunities emanating from the response: The team considered
what new opportunities may develop from selecting particular
responses. One of the two new vendors was a locally operated farm
that maintained a market on site for its goods and a booth at one of
the premier farmers’ markets in the area. Friendly Fruit Juice
determined that this could be an opportunity for joint marketing and
adding locations where their goods could be sold.

Review of Risks Impacting Manufacturing

Objective
Of the risks relating to the functional unit objective “Produce high-
quality products at the best possible price,” focus was given to “The
possibility that the cost of manufacturing plant-based juices is higher
than fruit-based juices.” Marley, Simone, Fabien, and Angarika
considered each of the following potential responses.
• Accept: While there is a potential impact on the reputation, brand,
and trust if there were an issue with the quality, the management
team was not willing to produce quality products without
considering the cost of manufacturing. The team determined it
 would not accept this risk.
• Avoid: The plant-based juice line aligned with the mission and risk
appetite, and therefore the company determined to move forward
with the strategy. Therefore, they did not select the risk response
“avoid.”
• Pursue: The team reviewed the performance targets for the new line
and determined that they did not want to pursue increased risk for
increased performance.
• Share: Various outsourcing options were considered and
determined to be unsuitable.

• Reduce: The team determined that the company should reduce the
severity of the risk. Some of the actions included:

− Developing a detailed understanding of the new manufacturing

process and where costs were most impacted in that process

− Develop real-time indicators that help in identifying when those

areas of greatest impact on cost are exceeding acceptable levels
of performance, thereby allowing for management intervention
much earlier

− Designing a new quality assurance procedure for the production

of the new line to avoid costly product waste.
Once these actions are put in place, the team believes that the risk
will reduce in severity to an amount consistent with the overall levels
desired by the company.

Review of Risks Impacting Distribution Channel

Objective
Of the risks relating to the functional unit objective “Get the product
into the distribution channels used by customers,” one stood out as
having a higher severity: “The possibility that the new product cannot
be placed at current vendors and its impact on inventory.” The team
considered each of the following potential responses.

• Accept: The severity of this risk would place performance outside of

tolerance, and therefore senior management will not accept it.
• Avoid: The plant-based juice line aligned with the mission and risk
appetite, and therefore the company decided to move forward with
the strategy. Therefore, they did not select the risk response
“avoid.”

• Pursue: The team determined that there was an opportunity to

pursue new vendors and joint market the plant-based line with
vendors who also maintained farmers’ market stands.

• Reduce: The team determined that the company could reduce the
severity of the risk. While they considered various options on how
management could do that, they felt that the risk response would
be more effective if they were able to partner with another party.

• Share: One possible action included negotiating new agreements

with current distributors. Friendly Fruit Juice entered into an
agreement with a reseller to take any unsold plant-based juices who
would in turn convert these juices into generics for resale.
Once these actions are put in place, Marley, Simone, Fabien, and
Angarika believe that the risk will reduce in severity to an amount
consistent with the overall levels desired by the company.

Management’s Consideration
The discussions of the monthly senior management meeting were
captured to update the portfolio view of risk, which was presented to
the board. The focus of this presentation was the performance goals
associated with the business objectives that are either over- or
underperforming, the current portfolio view of risk, emerging risks,
interconnectedness of the risks, and what has changed since the
previous quarter. The presentation covered both quantitative
information, such as the combined potential financial impact of
certain related risks, and qualitative information, such as descriptions
developed by Marley, Simone, Fabien, and Angarika describing how
additional or modified responses were expected to reduce the
severity of risk.
After every quarterly presentation to the board, the results are
incorporated into dashboards, and staff meetings are held to
communicate the results and the monitoring and mitigation activities
to be implemented. The dashboard is organized by objectives and
includes a view from each level of Friendly Fruit Juice Company.

An Objective Perspective
As noted initially, Friendly Fruit Juice Company’s foray into
developing a stronger enterprise risk management approach was
driven by its goal to better identify and manage company-wide risks.
Through improved identification, assessment, prioritization, and
response activities, Friendly Fruit Juice recognized it could achieve its
objectives. They came to understand that the amount of risk to
objectives cannot be simply calculated by averaging likelihood and
impact. Rather, to meaningfully analyze their ability to meet their
objectives, the organization needed to look at their risks from an
overall perspective and understand how the performance of one
objective might affect the achievement of another. This perspective
provided Marley, Simone, Fabien, and Angarika with greater clarity on
which objectives required the most attention and what responses
offered a more efficient use of their respective resources.

13 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
14 Names of organizations and people in this example are fictional, and any resemblance to
 actual organizations and people is coincidental.
15 This example does not attempt to show how various strategies are evaluated and
selected; this aspect of the example has been condensed.
break

8. Performance in a
Technology Company

Industry Context16
The technology sector consists of companies involved in the
production or delivery of technological products and services, such
as computers, semiconductors, software, IT infrastructure and
services, telecommunications, and home entertainment.
Technology entities may be influenced by any or all of the following
external factors:
• Political and government regulatory approaches to spectrum usage,
cloud computing, data privacy, sustainability, and infrastructure.
• Competition from cloud-based products and services that impact
the margins of traditional hardware businesses and affect people
with lower disposable incomes in developed countries, who are less
likely to buy high-end consumer products.

• Consumer demand for end-to-end solutions that make the

customer experience seamless and secure, such as cyber security
products and services, and technologies that improve overall
productivity and efficiency.

• Rapid technological changes, growing technological complexity,

and the shortening of product life cycles.
• Regulatory and legal requirements arising out of political and
government changes and legislation.
• Climate change and sustainability demands that push companies to
provide incentives to reduce, reuse, and recycle devices.
They may also be influenced by the following internal factors:
• Capital demands to sustain merger and acquisitions activities and
increased liability in pensions, minimum health benefit
requirements, and legacy staff and low-skilled labor.
• The need for skilled employees, which increases the urgency to
retain current talented staff and outsource entry-level jobs.
• Processes required to obtain third-party assistance to deploy and
integrate new services and technologies.

• Innovation in technology that drives efficiency and relevancy of

companies in the market.

Key Benefits of Enterprise Risk

Management in the Example
This example shows the benefit of enterprise risk management to
identify and manage entity-wide risks.

Principles Demonstrated
The following principles are primarily demonstrated in this example:

• Principle 10: Identifies Risk–The organization identifies risk that

impacts the performance of strategy and business objectives.
• Principle 11: Assesses Severity of Risk–The organization assesses
the severity of risk.

• Principle 12: Prioritizes Risks–The organization prioritizes risks as a

basis for selecting responses to risks.
• Principle 13: Implements Risk Responses–The organization
identifies and selects risk responses.
• Principle 14: Develops Portfolio View–The organization develops
and evaluates a portfolio view of risk.
Aspects of the following principles are also demonstrated in part in
this example:
• Principle 8: Evaluates Alternative Strategies–The organization
evaluates alternative strategies and potential impact on risk profile.
• Principle 20: Reports on Risk, Culture, and Performance–The
organization reports on risk, culture, and performance at multiple
levels and across the entity.

Facts and Circumstances17

Gulf Technology Company is a national firm that operates in three
different sectors: technology services, software, and hardware. It is a
publicly traded company and has been serving individual consumers,
businesses, and governmental agencies for over twenty years.
Recently, Gulf Technology has experienced rapid growth through
mergers and acquisitions. The company strives to be an industry
leader in a business environment facing intense competition, rapid
technological changes in products and services, and growing
pressure on margins and overall profitability.

Gulf Technology believes that its growth and success in the

technology sector can be attributed to the shared values and
innovative spirit of its team. The governance structure comprises the
board of directors and its committees, and multilevel management
teams across the three departments. The company clearly defines the
roles and responsibilities of everyone at every level for achieving its
mission to lead the industry in the invention, development, and
manufacture of the most advanced technologies for services,
software, and hardware.
Senior-level management has worked to instill a culture in which
people—regardless of level—manage risk as an intrinsic part of their
job. This culture supports open communication about risk,
encourages employees to express concerns, and maintains
processes for elevating concerns to the appropriate level. Rather than
being risk averse, employees strive to understand the risks of any
activity they undertake and to manage and pursue them accordingly.
One division of the hardware business line received the approval and
budget from senior management to design and develop a new
product. The business objective for this division is to achieve sales
goals for all new product launches. Supporting this objective are four
new product objectives: 1) develop high-quality products, 2) minimize
losses and inefficiencies, 3) be first to market with innovative
products, and 4) provide high customer satisfaction with its products.
All of these business objectives support one of the Gulf Technology’s
overall objectives: develop innovative IT hardware products that are
secure and cost-effective, and address consumer needs (see Figure
8.1.)

Discussion
To succeed with the product development and launch, Gulf
Technology formed a working group for the life cycle of new product
development, as Figure 8.2 shows. The group comprises
representatives from marketing, finance, development, and supply
chain, plus individual designers (front-end, industrial, etc.), and a
product manager who leads it. The group meets weekly to discuss
the status of the product during each phase of development. Any
member of the working group can raise for discussion any risk about
the project or product without any fear of retribution. Management
encourages this transparency to support risk-informed decisions and
improve the overall quality of products developed and delivered to
consumers.

This example follows the evolution of the risk profile for one product
through the phases of development to track and respond. (For the
purposes of this example, the earlier phases are not included.)

Develop Phase
During a meeting in the develop phase, the marketing manager
brought forward new information about changes in consumer
preferences for a particular feature of the product. This discussion
occurred because of a recently implemented practice to identify key
insights and potential risks during all new product development
projects.

Key Observation
 When developing an overall risk profile, the element of time can be factored in by
developing a series of profiles throughout the product life cycle.

Historically, the management of Gulf Technology performed annual

company-wide risk identification by conducting surveys, interviews,
and workshops. However, this annual practice proved ineffective for
supplying timely information in the fast-paced technology industry.
Greater agility was needed to adjust to rapid technological changes,
changing consumer preferences, and competitors (both large and
small) introducing new and improved products.
Now, all new product working groups use cognitive computing
capabilities to conduct real-time risk identification to supplement the
annual company-wide practice. The advanced data analytics allow
vast amounts of unstructured and structured data to be gathered and
analyzed through data mining, natural language process, and
machine learning. Data-mining technology is used to analyze
comments from various sources, including end-user blogs and
forums on which customers discuss current products. Another source
is website recording technologies that can replay individual customer
experiences and track behavior patterns. This data analysis gives
management more useful and relevant information.
By using these cognitive computing capabilities to identify risks, the
product manager, Stella Sharpe, realized the product as currently
designed would not meet the changing customer expectations. She
led a discussion with the marketing manager and development lead
to better understand how changing a feature could impact the project
objectives and time line. Some of the risks identified included:

• The possibility of a delayed product launch and the impact on the

objective of being first to market with innovative products.
• The possibility of poor customer experience and the impact on
achieving high customer satisfaction on existing products.
To support the risk assessment, Stella Sharpe used impact and
likelihood factors developed by the company and used by all
employees. Gulf Technology uses six criteria (financial and non-
financial) based on internal data from tracking customer complaints,
negative media coverage, and external events from the publicly
available information on the impact of risks on peer organizations.
The six criteria are reputation, market, operations, legal/regulatory,
cost, and value. By consistently using these assessment criteria and
measures across the company, management can view
interdependencies between risks and can aggregate risks from other
business units to higher levels of the company.

In the develop phase, the most relevant criteria were determined to

be reputation, market, and cost. It became clear to Stella and others
that the potential impact to Gulf Technology’s reputation was high if
the company was not first to market and if they failed to achieve high
customer satisfaction. It also became clear that the product
development time line may lengthen to modify the product. Stella was
cautious of being overconfident during the assessment, so she
encouraged everyone in the working group to participate in further
discussion to minimize any bias.
Figure 8.3 shows the objectives considered for the new product.
During the discussion, Stella recognized there were two competing
objectives: 1) being first to market with innovative products and 2)
providing high customer satisfaction. She then considered how risk
impacts performance at a higher, division-level objective—“achieve
sales goals for all new product launches”—by using a risk profile.
The risk profile helped management determine what level of risk was
acceptable for a given level of performance. This initial profile is
shown in Figure 8.4. The x-axis represents the number of units sold
(performance), and the y-axis represents the number, composition,
and severity of risks associated with achieving this objective
—“achieve sales goal for all new product launches.” To develop this
risk profile, Stella used a combination of quantitative and qualitative
approaches and relied on Gulf’s expertise to determine the height
and shape of the curve. Quantitative approaches included data
modeling (reviewing historical product launches for similar products
and corresponding data, including revenue and losses). Qualitative
approaches included reviewing customer complaints and conducting
interviews and workshops with key stakeholders. The target
represents the forecast for new product sales.

When the team gathered to discuss what they had learned about the
relevance of the product to customer satisfaction, the project leader
determined that they should accept more risk by modifying the
product design and potentially delaying the product release. By
accepting the additional risk to achieve the sales goals for this new
product, the risk curve steepened and shifted up, edging close to
Gulf Technology’s risk appetite. This is illustrated by comparing the
risk profile for the business unit objective of achieving sales goals for
new products in the design phase (Figure 8.4) and the develop phase
(Figure 8.5).
Product Launch Phase
The development and building of the new product progressed toward
the launch date. One month before the release date, the development
team reported to the working group that they needed a minimum of
three additional weeks to complete the testing of a component of the
product. At the same time, Stella Sharpe learned that the company’s
main competitor was aiming to release a similar product close to Gulf
Technology’s planned launch date.
With competing product objectives of releasing a new product on
schedule and having a fully tested product to obtain high customer
satisfaction, Stella prioritized the objectives and associated risks to
make a more effective and risk-informed decision, using several
criteria:

• Adaptability: the company’s ability to respond if they launched a

sub-par product or were late to market in releasing a fully tested
product.
• Complexity: the risks of product obsolescence and low sales to the
company’s objective of being market leader in technology and
customer satisfaction.
• Velocity: the risk of not being first to market, which could impact the
company faster than releasing a sub-par product that disappoints
consumers.
• Persistence: the risk of adverse media coverage continuing and the
consequent impact on sales goals following a product release that
does not meet consumer expectations.

With input from the working group, and based on the criteria of
adaptability and complexity, Stella decided to release the product on
schedule rather than delay the launch. She determined that the
impact to overall sales would be significant if the product launch were
delayed due to additional testing and became the second product on
the market.
Prioritizing risks also helped management decide how to best
respond to them, given finite resources. Following the practice of
most companies, Gulf Technology looked to apply one of the
following risk responses to each risk: accept, avoid, reduce, pursue,
and share.
• Accept: Gulf Technology would launch the product with the
untested feature and determine later how to service the product as
issues arose.
• Avoid: They would remove the untested feature from the product.

• Reduce: They would delay the launch date and allow the
development team to perform the additional testing.
• Pursue: They would launch the product as expected, actually giving
prominence to an unproven technology.

• Share: They would replace the untested feature with a tested

feature from a previous product.

Additionally, Gulf management evaluated internal and external

pressures, risk priority, risk appetite, and the costs and benefits
associated with the risk response. The goal was to apply the
appropriate response to bring the risk in line with risk appetite.

In considering the cost and benefits of either accepting or avoiding

the risk, Stella determined that being first to market with a product
that contained only those features that had been fully tested would
have more benefit than leaving a potentially problematic feature in the
product. She avoided the risk by removing the untested feature. The
risk profile from the develop phase showed her how removing the
untested feature would impact the objective of being first to market
compared with the objective of obtaining high customer satisfaction,
and ultimately the business unit objective of achieving sales goals for
new products.
When the untested feature is removed, the curve on the risk profile
flattens and shifts down within the company’s risk appetite for the
objective of being first to market (Figure 8.6). However, when
considering the risks impacting the objective of providing high
customer satisfaction, and ultimately the business unit objective of
achieving sales goals for new products, the risk curve steepens
because a feature that consumers want is no longer part of the
product, which creates additional risks (Figure 8.7).

Track-and-Respond Phase
The working group successfully launched the new product on
schedule. Once the product was in the market, Stella Sharpe tracked
several metrics including sales (e.g., product sales, gross profit
percentages), marketing (e.g., web traffic, number of leads
generated), and product (e.g., inventory management, customer
service requests). These metrics alerted management to key
indicators of both risk and performance.

One benefit of tracking performance metrics is the ability to quickly

redeploy resources as needed. Historically, prior to product launches,
the company devoted significant effort to getting the product
designed, developed, tested, and marketed. Once a product was
launched, substantial time was spent positioning and reacting to
changes in the business context. As a result, Gulf generally could not
manage under- and overperformance (e.g., product sales) and tended
to be more reactive.
Several years ago, Gulf shifted to a focus on managing both under-
and overperformance of all new products to ensure they had
sufficient capacity and resources to meet demand. For example, one
of the company’s call centers could handle customer service
requests of 10% of products sold. So when Stella received real-time
information that sales had spiked significantly in a short period of
time (by using the key indicators that tracked performance), she knew
that the information would be fed into the risk identification system,
alerting the call center to staff additional employees in anticipation of
an increase in customer calls. This system allowed Gulf to reallocate
resources quickly based on changes in consumer demand.

Stella continued to track key indicators, and three months after the
product launch she reported that sales were lagging and customer
complaints about the missing feature were on the rise. In response,
the working group reviewed the entire product development life cycle.
Their goal was to understand what risks impacted the new product
development, at what stage they occurred, and how they affected the
new product and business division objectives.
With the results of this “postmortem,” Stella was able to analyze how
the risks associated with high customer satisfaction actually
increased in severity throughout the new product life cycle compared
to the risks associated with being first to market with an innovative
product. Although she had prioritized the objective of being first to
market during product development, it became evident that
customers would have accepted a short-term delay in the launch if
the end product had had all of the features they were expecting.
Specifically, a two- to three-week delay in the launch was determined
to be acceptable to customers, but not a delay of more than one
month. In fact, Gulf Technology determined that customers were
more sensitive to a product with all of the anticipated features and
were more likely to switch to a competitor’s product if their
expectations were not met. Stella used the analysis to adjust the
approach for other new product launch phases.
Additionally, this information from the postmortem fed into the
company-level portfolio view of risks. Specifically, it showed that the
risks to the objective of high customer satisfaction (risk of poor
customer experience and poor quality) maintained their severity as
they rolled up to the division- and company-level objectives. Those
dissatisfied customers who switched to a competitor product
affected Gulf Technology’s ability to meet its objective of achieving
sales goals for all new product launches. All this information helped
senior management better understand risks they may encounter in
the future. Figure 8.8 illustrates the portfolio view of risks.

The Changing Risk Landscape

The risk profile helped senior management better understand how the
risks from a business division could impact the company as a whole
and how that risk profile shifted during each phase of the life cycle.
This valuable information helped them learn from the experience to
improve future development and launches, as it provided a better
view of what phases and type of risks may cause a greater impact to
objectives. Lastly, as Gulf Technology continues to conduct
postmortems on product launches over time, senior management
may consider revising its overall strategy for launching new products.

16 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
17 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
break

9. Review and Revision in an

Industrial Products Company

Industry Context18
Industrial products companies provide goods and services in the
chemical, engineering and construction, forestry, paper and
packaging, industrial manufacturing, metals, and transportation
sectors.
Industrial products entities may be influenced by any or all of the
following external factors:
• Trade policies of countries where a company operates, acquires
materials, transports goods, or sells products.
• Shifts in economic global power that creates both barriers and
opportunities.

• Social unrest that may create risk and even disrupt the supply chain
or distribution networks.

• Technology advancements that provide opportunities for

companies to alter how they address consumer needs and desires.

• Changes across a wide range of laws, particularly when they

operate in several countries, and the need to comply with these
evolving requirements.
• Environmental oversight that can influence operational practices.

They may also be influenced by the following internal factors:

• Availability and mix of capital to develop infrastructure and respond
to the need for innovation and technology advances.
• Challenges of entering different industries, geographies, or
increasing staffing through organic growth, mergers, or
acquisitions.

• Availability of skilled labor that may impact the ability to maintain

and expand operations.
• Reliance on processes that adhere to their quality and safety
standards.
• Innovative technologies like 3D printing and robotics.

Key Benefits of Enterprise Risk

Management in the Example
This example demonstrates how enterprise risk management
enhances the company’s ability to make decisions that increase
positive outcomes, increases range of opportunities, and reduces
negative surprises.

Principles Demonstrated
The following principles are primarily demonstrated in this example:

• Principle 14: Develops Portfolio View–The organization develops

and evaluates a portfolio view of risk.
• Principle 15: Assesses Substantial Change–The organization
identifies and assesses changes that may substantially affect
strategy and business objectives.

• Principle 16: Reviews Risk and Performance–The organization

reviews entity performance and considers risk.
• Principle 17: Pursues Improvement in Enterprise Risk Management–
The organization pursues improvement of enterprise risk
 management.
Aspects of the following principles are also demonstrated in part in
this example:

• Principle 6: Analyzes Business Context–The organization considers

potential effects of business context on risk profile.

Facts and Circumstances19

Mostley Machinery Company is a large international manufacturing
company that builds assembly machines that can produce a range of
products. Mostley Machinery’s customers typically use the machines
for specific parts of their own assembly process; in fact, Mostley
Machinery does not manufacture machines intended to build a
product from start to finish. For example, they sell a variety of riveting
machines that are used as part of an assembly line. Over 250
companies, ranging from small regional manufacturers to large,
global manufacturers, purchase these riveting machines every year.
Mostley Machinery company is guided by four entity-level objectives:

• Build and maintain customer trust.

• Provide a diverse range of quality products to our customers.

• Operate in a safe and efficient manner.

• Provide stable, long-term value to our shareholders.

Mostley Machinery Company is located in central Europe and trades

on a local stock exchange. The company has seen higher than
average growth in recent years, largely due to the expansion of some
Asian manufacturing companies it supplies to. It is organized by
product lines, of which there are fifteen. There are also four support
functions: strategy and finance, human resources, information
technology, and safety and compliance. The fifteen product lines
report to the chief operating officer. Other members of the senior
leadership team include the chief executive officer, chief financial
officer, director of human resources, director of information
technology, and director of marketing.

During recent analyst calls, Myron Zblinski, the chief financial officer
(CFO), noted growing concern over Mostley Machinery’s ability to
sustain traditional levels of growth. Some pundits believed that the
industry was more likely to experience disruption as new
manufacturing techniques evolved, new materials became more
common, and other entrants were able to penetrate the market. The
analyst community historically viewed the company as one that
provided stable growth with a somewhat risk-averse or risk-neutral
approach. But now there was a growing sense that the company had
started to take on higher risk ventures in pursuit of higher growth
while reducing the focus on the lower-risk parts of the business that
made it initially successful. It remained unclear whether this was a
conscious decision to pursue higher margin products or whether the
company had simply drifted from its original focus. This situation had,
unfortunately, led some analysts to indicate that they may shift their
recommendation from “buy” to “hold.” In response, the senior
management team recognized that they needed to better
communicate the company’s view on risk overall and its strategy for
addressing changes that impact the company.

Discussion
The information that senior management used to understand the
company’s performance came from many sources. In the past, they
typically relied on their own internal reviews, but the recent concerns
of the analysts prompted them to take a fresh look at things. They
needed to determine if the current enterprise risk management
capabilities were meeting the company’s needs. Specifically, they set
out to determine if:
• The company was identifying and responding to changes in
 customer preferences, supply chain, materials, etc.
• Risk was impacting performance in ways that were currently
undetected.

• Changes in enterprise risk management practices could enhance

the company’s ability to create or preserve value.

Responding to Changes in the Business

The senior management team of Mostley Machinery set out to answer
the first question: how does the company currently identify and
respond to changes and the effect of those changes on the
company’s overall view of risk (i.e., its portfolio view of risk). The
answer was that response is determined in discussions that Myron
Zblinski had previously built into the business processes. These
discussions include analysis of changes in product mix, changes in
business lines, geographical changes, and internal changes, when
appropriate.

Key Observation

In a small business setting, senior leadership can equip the organization to respond to
risks and identify opportunities by discussing the impact of internal and external changes
on the company’s portfolio view of risk.

Every quarter, the senior management team, under Myron’s purview,

summarized these discussions. Having the strategy team involved in
this process allowed individuals to see the links between the changes
identified and the entity’s strategy. They could then contribute their
ideas and insight as the strategy evolved.
In one of these discussions on external factors, two specific changes
in the industry were noted, and the meeting participants considered
the potential impact of each on the company’s overall risk profile. The
changes were:
• Technology advancements, particularly 3D printing, the growing use
of robotics, and the evolution of digital technology.

• Social unrest and its potential to impact the company’s increasing

reliance on global supply chains.
Through this exercise the company identified some areas of greater
exposure should the trends continue. For example, one of the
product lines focused on providing replacement parts for their
machinery, and the growing prevalence of 3D printing meant that
third parties would soon be able to replicate cheaper parts and create
new competition. Additionally, since many of the company’s
customers are themselves manufacturers, the discussion team
recognized that those customers could begin printing their own parts.

Key Observation

Considering the effect of developments in the external environment on the portfolio view
of risk gives the organization the ability to respond to certain risks before they materialize
and to identify areas where these developments create strategic opportunities.

The team considered what steps the company could take to mitigate
this risk, which led to them discussing opportunities to differentiate
themselves from competitors and create added value. They came up
with a two-part proposal: First, the company should actively pursue
3D printing to internally produce replacement parts potentially at
reduced cost by using AutoCAD. Second, rather than retaining the
AutoCAD files for company use and waiting for customers or other
third parties to develop their own specifications to produce parts,
Mostley Machinery could provide customers with the
stereolithography files with the purchase of one of its pieces of
equipment. This practice could then be marketed as a competitive
differentiator. This idea was recorded and provided to the strategy
and finance team to consider in an upcoming planning cycle.
Assessing Performance and Considering Risk
The second issue was whether risk was impacting performance in
ways that were undetected. The company had a series of goals
aligned to each of its objectives. Each of the goals included a
quantifiable aspect, so that the company could track performance,
which was reported as part of the quarterly business performance
review. Senior leadership reviewed the metrics for each goal
quarterly. On review, two metrics stood out: sales by region and sales
by product type, illustrated in Figure 9.1.

As noted in Figure 9.1, the company was selling 35% of its

equipment to the Asian market. This percentage had risen in each of
the last five years, before which sales to Asia represented less than
10% of the total. This increase was not planned, but it has driven the
majority of the company’s overall growth in this period, and it
exposed the company to a higher amount of risk than the company
could sustain, as the Asian market was viewed by management as
more cyclical than the European market.

The team also reviewed the revenue from replacement parts. The
goal was to maintain the percentage of revenue from sales of
replacement parts to overall sales at 7%. The company wanted to be
sure that it remained—above all—a provider of equipment, as that
generated much higher profit margin than the sale of replacement
parts. At the same time, the company wanted to retain its
replacement parts customers, rather than losing them to their
competitors for those parts, or worse, for new equipment.
Taking all this information into account and reviewing historical data
to understand seasonal and other trends, the company defined a
lower boundary for the tolerance of 3% and an upward boundary of
11% (see Figure 9.2). Senior management determined that having
replacement parts revenue below 3% suggested that parts were
being over-engineered with a higher cost to produce. Above 11%,
there was likely either a reliability problem with current parts or
customers were keeping the machine past the intended useful life,
choosing to repair rather than replace machines.

In one quarter, the actual performance was 12% (shown as the solid
green line in Figure 9.2). This shift in the percentage of revenue from
replacement parts presented a confusing trend for senior
management. They viewed it as being a higher risk to future revenues
because, as noted above, customers could easily shift to lower-cost
aftermarket versions or use 3D printing to create their own parts.
In researching the reasons for the 12% replacement sales, senior
management identified that three years ago, Mostley Machinery had
streamlined its operations to pursue the goal of operating efficiently.
Management was now starting to see the longer-term implications of
that change. An estimated 70% of the customers were replacing a
part purchased (either on their own or as part of new machinery)
within two to three years, rather than the targeted ten-year useful life.
These failure times were occurring just before the warranty period
ended. This increased failure rate was resulting in higher sales
revenue from replacement parts but also incurring higher warranty
repair costs for Mostley Machinery.

Key Observation

By defining a performance target and tolerance, and by monitoring performance against

target and tolerance, an organization can identify when it may be taking too much or too
little risk in certain areas and adjust as needed to achieve the desired level of
performance.

With this insight, leadership considered whether they should adjust

the target and/and tolerance for replacement parts, or whether the
company was assuming too much risk by having a lower useful life
for key parts. Ultimately, they decided that the decrease in useful life
for parts could threaten the company’s reputation for quality and their
customers’ trust. They determined that in streamlining the process,
they had accepted a higher amount of risk of product quality.
Therefore, they initiated a project to determine the cause of the
shorter useful life and to modify the process to bring the average
useful life for the parts back to three years.

Considering Current Practices

For the past several years, Mostley Machinery has taken steps to
understand the current and desired enterprise risk management
capabilities. For instance, the chief executive officer (CEO) and the
internal auditor now attend business performance reviews with the
operating divisions to look at progress against performance goals
and how the business is incorporating an understanding of the risks
as they operate in pursuit of their goals. This has helped the CEO to
understand performance of the business and the internal auditor to
develop an annual audit plan.
However, the senior team also needed to refresh their understanding
of where enterprise risk management capabilities were integrated into
the business. They initially looked at scoring the company using a
typical maturity model, but that was too high level and didn’t provide
enough insight into the day-to-day operations. Instead, each member
of the senior leadership team was asked to compile a summary of the
key enterprise risk management activities that had been woven into
day-to-day operations. These summaries included the following:

• The chief financial officer (CFO) noted that risk management was
formally part of the budget planning sessions. The budgeting
process asked two questions: Have we allocated funds to support
initiatives to enhance the managing of risk where needed? What
efforts are we funding that provide minimal impact on amount of
risk taken by the company?
• The chief operating officer (COO) noted that risk was a topic for
discussion at every operations meeting in addition to the regular
discussions on new staff, training, production targets, and quality
assurance results. The plan was to move risk from being a separate
agenda item to being a factor of every topic, but that change would
likely take twelve to eighteen months.

• The chief information officer (CIO) noted that risk assessments were
being used in the review and development of new technology on a
company-wide basis, where common technology was used by
mutliple departments. These assessments had helped to identify
potential problems in past projects.
• The vice president of human resources noted that risk management
was being woven into performance reviews.
While there were many positive practices noted in these
conversations, it became apparent that there were opportunities for
improvement. For instance:

• Changing revenue patterns over time had not been a focus, as the
company typically compared only the current quarter to the prior
quarter, or the current year to the prior quarter. This meant that
slowly evolving trends were not necessarily identified.
• None of the senior leadership team was able to articulate why the
amount of risk taken by the company was appropriate. Few could
state with confidence whether it was too high or too low. Most
relied more on personal judgment and experience to determine the
appropriate amount of risk.
• While the CEO and internal auditor attended performance meetings,
there was no sharing of information across these meetings. There
were concerns that some risks potentially impacting more than one
group might still be looked at in isolation. For instance, at the same
time the CFO was asking for spending on research and
development to be reduced, the COO was seeing a growing need
to increase efforts on new product development.
• The company had a spot bonus program for rewarding individuals
for specific efforts. The vice president of human resources noted
that of the spot bonuses awarded in the past twelve months, 40%
related to culture (doing the right thing for the client), 40% related to
efforts to help meet an internal deadline, and 20% related to long-
time service. None of them related to instances of individuals
helping shape the risk profile of the company through their
decisions. All senior leadership team members were encouraged to
consider spot rewards for such instances.

Changing Practices
Management realized that it was important to develop capabilities
that:
• Support people in making decisions across the company that
reflected a common understanding of acceptable risk taking.
• Consider how performance evolves over a longer period than just
one year to the next.
• Enhance communications to the board on emerging risks that could
disrupt the business.
• Enhance communications with the analyst community. Most
notably, they needed to develop a way to better communicate how
risk factored into decisions.

To begin making these changes, the senior leadership team met to

formulate a view of the overall risk appetite. First they considered the
extent to which the overall strategy and entity-level objectives aligned
with this mission, vision, and core values. They reviewed the
company’s recent annual reports, internal management reports, and
press releases to identify trends in communication that could be used
to infer where leadership was most interested in minimizing risk or
taking risk. They also reviewed internal memos from the CEO and
other business unit leaders to identify where they were asking
employees to focus.

Each executive was asked to develop a view of the type and amount
of risk acceptable for the strategies related to their area of the
business. Once this was done, the senior leadership members met
with their staff to get feedback on how such a statement might be
useful in practice and what needed to be made clearer. The senior
leadership then met as a group to discuss, revise, and ultimately
finalize the statements.
Figure 9.3 lists a few risk appetite statements that the company
developed by entity-level objective to use in decision-making.
Once the executive risk committee finalized the statements, they
invited the board of directors to review and comment on them. The
statements were then sent to all executives and managers, who were
encouraged to refer to them when making decisions that involved
assuming a certain level of risk. They were also instructed to elevate
the decision to the next level if they felt uncertain whether the risk
they were taking aligned with the company’s risk appetite.

One method the company used to assess the success of their efforts
was revisiting the sales trend analysis previously completed and the
percentage of sales represented by replacement parts. As part of that
assessment the senior team reflected on the risk appetite
expressions, noting that the company:

• Has a low tolerance for risks that create situations or actions that
could negatively impact customer trust.
• Will seek to produce equipment of superior quality and reliability,
understanding that such goals may come with a cost.
• Has stakeholders who expect strong financial performance and will
not accept risks that unnecessarily erode financial performance.
The result of the assessment was a new risk profile, which was
presented to senior management, showing three possible levels of
risk appetite (see Figure 9.4). In this case, since the company had a
history of performance and an understanding of risk to that
performance, risk appetite was being set by management in the
context of actual performance (i.e., “We know our performance and
tolerance, and now we are figuring out where appetite should be”).
After considerable discussion and debate, the senior management
team agreed that risk appetite was best depicted as line B. With this
decision made, it became clear that the actual level of performance
indicated exceeded the overall risk appetite and, therefore, remedial
actions were needed.

Developing a Common, Company-wide View of

Risk
To develop an enterprise view of risk, staff for all product lines and
functions identified risks within their part of the company. These
included everything from those risks related to specific suppliers not
delivering on time to internal systems failure. But to be sure that this
effort did not detract from the important risk management efforts
happening within each of the programs, senior leadership appointed
a point person from each product line and function (the working
group) to develop a portfolio view of risk. Each product line and
function regularly provided the designated person with updated risk
information, an effective system that required minimal effort from the
managers.

Key Observation

Small businesses may have a less-formal process for regularly reviewing and discussing
risk. This may include a management meeting every quarter with key leaders, where risks
and interdependencies are discussed.

The senior leadership team supplemented this information with their

own insight on the top risks facing the company and discussed it
further, as needed. Over time, they refined the reporting to provide
the needed information from the portfolio view to each stakeholder
group, including the board, senior leadership, and risk owners.
Figure 9.5 illustrates the completed portfolio view of risk. Note that
the approach is not a linear compilation, but reflects considerable
management judgment. For instance, management has noted in the
specific risks to business objectives that only one was in the
moderately high range: “Be a fast follower of product innovation.”
That objective is, however, significant to the overall entity-level
objectives and as a result the related entity-level objective was also
assessed as having a moderate amount of related risk.

With the combination of captured risk information and management’s

own judgment, Mostley Machinery had a dashboard that provided the
insight required, focusing on the impact of risk on performance. The
dashboard illustrated in Figure 9.5 indicates the level of risk to both
entity and business unit objective performance targets. The color
scheme is also tailored to reflect the risk appetite.

• Red represents the level of risk that the company is unwilling to

accept in the pursuit of value.
• Yellow indicates that the risk is just within the level the company is
 willing to accept in the pursuit of value, but the assessed level is
higher than desired.
• Green indicates that the risk is fully within the level the company is
willing to accept in the pursuit of value.

Completing the Conversation

Having taken on these efforts to understand how enterprise risk
management capabilities and practices were woven into the
business, and where they could make changes, the CFO gained a
better appreciation of the analyst observations. Steps were taken to
address the appearance of higher-risk activities displacing lower-risk
activities with proven performance. The change in focus on
increasing the useful life of parts demonstrated how risk management
can increase positive outcomes. The focus on using 3D printing and
the distribution of related files helped increase the range of
opportunities. Further, the focus on company-wide risk and viewing it
through the lens of risk appetite (and carefully considering
stakeholder views) will help to reduce negative surprises. Most
notably, the plan addressed the concerns that the company had
adopted a higher risk strategy or inadvertently become more
aggressive in its decision-making.

18 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
19 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
break

10. Risk Information in a

Healthcare Company

Industry Context20
Healthcare providers deliver medical services to patients ranging
from routine care to specialized critical care such as surgery,
psychiatry, obstetrics and gynecology, and oncology. Healthcare
providers may fit into one of a variety of business models: non-
governmental, governmental, not-for-profit, for profit, religious, or
academic.
Healthcare may be influenced by the following external factors:

• Intervention in policy and decision-making stemming from special

interests rather than business-driven approaches.
• Reimbursement rates that are affected by the general economy and
public policy.
• Consumers using non-traditional sources of healthcare, including
telemedicine, small clinics in retail stores, and physician assistants
and nurse practitioners to.
• Changing technology and the availability of confidential patient
information.
• Strict regulatory requirements along all aspects of the provider
delivery model.
• Changing landscape of global healthcare crises, including
pandemics.
Healthcare may also be influenced by the following internal factors:
• Capital demands to sustain merger and acquisition activities that
are needed to maintain and expand facilities or invest in updated
equipment.

• Competition for staff at all levels due to increasing demand from all
types of healthcare providers.
• Staff operating in silos, which affects information sharing.
• Dependency on technology in all aspects of the delivery model,
from decisions on patient care to reimbursements for services
delivered.

Key Benefits of Enterprise Risk

Management in the Example
This example shows how enterprise risk management practices
reduce performance variability. It also shows how enterprise risk
management information practices help a company improve resource
deployment.

Principles Demonstrated
The following principles are primarily demonstrated in this example:

• Principle 18: Leverages Information Systems–The organization

leverages the entity’s information and technology systems to
support enterprise risk management.
• Principle 19: Communicates Risk Information–The organization
uses communication channels to support enterprise risk
management.
• Principle 20: Reports on Risk, Culture, and Performance–The
organization reports on risk, culture, and performance at multiple
levels and across the entity.
Facts and Circumstances21
Highland Hospitals provides services in traditional hospital settings. It
operates thirty affiliate hospitals in five different states across the US
as a not-for-profit business. It specifically supports people in low-
income areas needing routine and critical care. The target
demographic is people who have few choices in healthcare providers
because they live in rural communities. Most revenue is generated
through reimbursements from government-provided insurance.
Highland Hospitals has formalized its mission statement:
Our mission is to provide the highest quality patient care to all
communities in which we serve. We do this through employing
dedicated professionals to deliver top care and professional staff to
provide support throughout the organization. We value all patients
equally. We will operate in a financially responsible manner ensuring
our long-term sustainability as a provider of care for our
communities.
Senior management recently gathered to set objectives that would
support this mission. They established two that they felt best
reflected Highland Hospitals’ pursuit of mission:
• Provide quality care to patients in communities served.

• Hire and retain high-quality physicians, nurses, and support staff.

Over the past several months, Highland Hospitals has become the
target of increasing negative media coverage about surgery and
appointment wait lists and overcrowding in its emergency rooms.
Despite assurances from the CEO, Emma Carballo, that healthcare
services would not be hampered and all efforts were being made to
address the situation, the company has been slow to respond to the
growing call to action. The result has been increased fatigue and
frustration from the medical team, and in particular the nursing staff.
So far, the situation has not affected retention rates, but management
has had difficulty hiring more nurses, especially in some of the more
remote communities it serves.

Discussion
Emma called the director of nursing, Antonio Garcia, to talk to him
about the recent media coverage and impact on the nursing staff.
She told him that the leadership team was contemplating a number of
large-scale initiatives, but even if approved by the board, those would
likely take several years before comprehensively addressing the
growing wait lists and impact to staff. Emma asked Antonio to
develop an interim plan of action to continue to attract and retain
nursing staff.

Antonio began by reviewing the available internal data on hiring and

retaining nurses to understand the greatest impacts. These indicators
with analysis are shown in Figure 10.1.
Antonio then compared his internal numbers to information made
available by the National Nursing Association. The association’s latest
annual report outlined current trends and explored the challenges in
recruiting new nurses. The report confirmed Antonio’s suspicion that
there is an overall shortage of nurses across the country, with some
rural areas more affected than areas with larger populations. The
assumptions behind the nursing shortage were many, including:
• Aging population with a greater number of older adults who are
expected to have at least one chronic condition requiring ongoing
medical care, adding to the demands of the existing patient pool.
• Corresponding number of nurses and nursing educators who are
approaching retirement age.
• Propensity for graduating nurses to work within the same
 geographic area from which they graduated from their medical
studies.
• Most nursing educational facilities and schools being in urban areas
or affiliated with larger universities and hospitals.
• Ongoing challenges in having nurses with foreign designations and
licenses being recognized or accredited in a timely and cost-
efficient manner.
After looking at both the external data and internal indicators, Antonio
recognized that he needed to take a different approach to mitigate
the risk of having nursing shortages that would further contribute to
Highland Hospitals’ existing operational challenges. The nursing
program had always been managed with consideration to two
primary objectives: providing quality care and hiring and retaining
high-quality staff. These objectives are codependent: without quality
staff, it is difficult for Highland Hospitals to deliver the highest quality
care, and so Antonio decided to focus on hiring and retaining high-
quality staff.

Antonio knew he needed help in thinking through the components

that contribute to hiring and retaining high-quality staff, which
includes identifying candidates and agreeing on competitive benefits.
He started by engaging the human capital officer, Eva Andreotti. They
broke the process into two parts—attracting and retaining nurses—
and began to think through what information Antonio needed.
As noted, Highland Hospitals had already identified that they were
receiving fewer nursing applications than their target numbers.
Antonio and Eva hypothesized that there were fewer nursing students
in local schools than there used to be, which affected the number of
applications. To develop a measure that would give them insight into
potential applicants at an earlier point in their process, Antonio and
Eva set out to determine how many nursing students were being
admitted to the local nursing schools. They emailed the director of
admissions at each of the major schools, hoping to validate their
hypothesis or learn other reasons students were selecting different
options.
Additionally, they looked at the compensation and benefits that
Highland Hospitals offers staff, both having an impact on retaining
current staff and attracting new hires. They began by identifying what
their competitors were offering, including doctors’ offices, home
healthcare services, and skilled nursing facilities. They also identified
that corporations, contract nursing, and urgent care centers could be
competitors, but noted that the nurses from the target schools do not
tend to go to those organizations. The specific information they
wanted included the following:
• Salary components (base pay, bonuses, and paid leave).
• Flexibility of workplace arrangements including availability of extra
shifts.

• Career progression and access to continuing education.

• Human resource policies including sick leave and workplace safety.

Antonio and Eva then tackled the job of understanding the culture of
the nursing staff. Culture affects why nurses want to stay at a
hospital, and the data showed that once nurses chose Highlands they
tended to stay. This understanding was critical as they looked to
identify nurse hires. What behaviors, they wanted to know, drive that
culture, and what encourages nurses to continue working at Highland
Hospitals? To find out, they sent a survey to the nursing staff
encouraging them to share their views anonymously. The survey
asked nurses:
• When do you feel the most appreciated?
• Do you feel the management team is transparent?

• What three words would you use to describe our culture?

• What would you change to improve our culture?
The survey revealed that one significant driver of low morale was
fatigue. The reasons cited were many: a general shortage of nurses
across the system; a shortage specific to certain units because of a
gap in experience with attending nurses; the need to spend
significant time training new nurses who lacked clinical experience;
and the imbalance between extremely busy times and very slow
times, for which there had been no analysis of data that could help
normalize the resource capacity.
While the survey data was being compiled, Antonio and Eva received
their first responses from the nursing schools. The director of
admissions at one of the largest schools indicated that they had not
seen a change or decline in admissions given the number of
government scholarships that had been recently made available
particularly for students from more remote, rural areas. He went on to
explain that while he was not at liberty to divulge where and why
nursing students accepted employment offers, he could confirm the
recent press coverage of Highland Hospitals was the topic of
conversation for many students who had expressed reservations in
applying for positions there.

Using the information that Eva and he had gathered, Antonio started
to develop a plan of action to present to the board. The plan included
the following suggestions:
• Launch a digital recruitment campaign to encourage applications at
the nursing schools.

• Introduce a variety of non-monetary benefits including increased

flexibility for accepting additional shifts, flexible scheduling such as
weekends only to accommodate families, alternative schedules
such as fewer long schedules or shorter schedules, and subsidized
daycare through agreements with daycare providers.

• Introduce offers for additional financial and study support for

continuing education to allow nurses to specialize in areas with
forecasted skills shortages.
• Establish a mentorship program to address the experience gap.
Such a program would provide valuable information to the
leadership of the nursing staff across the hospital system. From the
start of the clinical portion of nursing school through internships,
new nurses would be matched with a mentor to accelerate their
professional development.
• Implement a new approach for data analytics that enables more
accurate staff resourcing needs. The approach would use a variety
of data feeds, assumptions, and historical analysis to anticipate
incoming patient levels and types of care. These include:

− Police reports and traffic condition alerts to prioritize the hospitals

to which ambulances are directed in real time and alert hospital
staff of incoming patient volumes.

− Meteorology reports to track weather patterns such as heat

waves that are likely to see a spike in patient admissions.
− Updates from centres for infectious diseases regarding the status
of epidemic outbreaks such as flu, chicken pox, and whooping
cough.

− Research papers on longer-term trends in lifestyle choices such

as smoking, alcohol consumption, and exercise habits that may
lead to healthcare implications and require specialist nursing care
and skills.
− Periodic demographic data outlining the distribution of population
by age, gender, and education levels for populations surrounding
each of the hospitals.
• Refine the key indicators to include more forward-looking metrics to
better gauge future resourcing challenges. Existing metrics on
turnover were supplemented to include:
− Scope and persistence of social media coverage relating to
 employment conditions and patient care.
− Average amount of overtime worked by nurses during periods of
high-volume admissions.
− Number of nursing staff undertaking further professional
education.

• Launch an initiative to review the time nurses spend on

administrative tasks and whether those tasks could be automated
or delegated to administrative staff. The initiative would work with
the IT teams to track the time each nurse spends administering
healthcare compared to updating records and charts or completing
other tasks.
Having developed a proposed plan of action, Antonio and Eva then
engaged with both the risk and finance teams. The risk team provided
the latest risk report to the board outlining those objectives that were
most at risk of not being achieved and considering the financial,
patient, and operational impacts should those risks materialize. The
finance team worked with Antonio and Eva to determine whether the
current year’s budget could absorb the additional costs or whether
those costs would need to be distributed over a longer time period.

Together, they prepared an integrated plan of action for the CEO that
outlined:

• Anticipated impact of the risks associated with resourcing

shortages including:
− Loss of revenue from declining patient numbers.

− Increased costs associated with longer wait times.

− Adverse impact on the company’s brand and reputation.

− Additional regulatory and political scrutiny.

• Level of confidence in the ability of Highland Hospitals to adhere to
its risk appetite and manage stakeholder expectations in the
absence of a plan of action.

• Forecasted cost of implementing short- and longer-term proposed

changes.
• Changes in the risk profile assuming the additional management
actions taken to mitigate the risk and its revised prioritization.
The report concluded that without further action, the hospital would
incur significant variations in performance and face increasing
scrutiny from its shareholders and regulators of both the quality of
care and the efficiency of its general operations. The costs
associated with implementing additional management actions were
presented in response to the increasing priority associated with the
objective of attracting and retaining competent nursing staff.

Leveraging Structured and

Unstructured Data from Internal and
External Sources
Antonio recognized that he needed information from both structured
and unstructured sources. That would provide him with the insight to
manage the nursing staff efficiently and hire “best fit” nurses to
increase quality delivery and reduce performance variability in
providing care. It also allowed Highlands Hospital to monitor
performance against its objectives and to make more timely decisions
when performance was being impacted. The combination of better
information and more timely action will help to reduce the variability in
the hospital’s outcomes.

20 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
 based on its size, scale, and complexity.
21 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
break