Coso Compendium of Examples - Coso
Coso Compendium of Examples - Coso
Committee of Sponsoring
Organizations of the Treadway
Commission
Board Members
Robert B. Hirth Jr. Richard F. Chambers Mitchell A. Danaher
COSO Chair The Institute of Internal Financial Executives
Auditors International
PwC—Author
Principal Contributors
Miles E.A. Everson Dennis L. Chesley Frank J. Martens
Engagement Leader and Global and Project Lead Partner and Project Lead Director and Global
Asia, Pacific, and Americas (APA) Global and APA Risk and Risk Framework and
Advisory Leader Regulatory Leader Methodology Leader
New York, USA Washington DC, USA British Columbia, Canada
Maria Grimshaw
Senior Associate
New York, USA
Additional Contributors
PwC also wishes to thank Violet Rukambeiya, Derrick Sturisky, and Kathleen Crader Zelnik for their
contributions to the development of the Compendium.
break
Table of Contents
Foreword
1. Introduction
2. Governance in a Higher Education Institution
3. Culture in a Government Entity
4. Culture in a Financial Services Company
5. Strategy and Objective-Setting in an Energy Company
6. Strategy and Objective-Setting in a Not-for-Profit Entity
7. Performance in a Consumer Products Company
8. Performance in a Technology Company
9. Review and Revision in an Industrial Products Company
10. Risk Information in a Healthcare Company
break
Foreword
In keeping with its overall mission, the COSO Board commissioned
and published in 2017 Enterprise Risk Management—Integrating with
Strategy and Performance. That publication recognizes the increasing
importance of the connection between strategy and entity
performance as well as concepts and applications of enterprise risk
management. The second part of that publication, the Framework,
accommodates different viewpoints and organizational structures to
enhance strategies and decision-making. It also sets out core
definitions, components, and principles, and it provides direction for
all levels of management involved in enterprise risk management.
The COSO Board would like to thank PwC for its significant
contributions in developing Enterprise Risk Management—Integrating
with Strategy and Performance: Compendium of Examples.
Dennis L. Chesley
Robert B. Hirth Jr. PwC Project Lead Partner and
COSO Chair Global and APA Risk and Regulatory
Leader
break
1. Introduction
The COSO publication Enterprise Risk Management—Integrating with
Strategy and Performance sets out a relationship between an entity’s
mission, vision, and core values; its strategic goals and directions;
and the approaches used in carrying out its strategy.
This complementary publication offers a compendium of examples to
illustrate how an organization might apply principles from Enterprise
Risk Management—Integrating with Strategy and Performance to its
day-to-day practice. Each example highlights specific principles that
are relevant to entities of different types and sizes in different
industries. Together, the examples relate to each of the five
components and twenty principles set out in the Framework.
Local
• Financial services company (Chapter 4)
International
• Higher education institution (Chapter 2)
2. Governance in a Higher
Education Institution
Industry Context1
Higher education, often referred to as postsecondary or tertiary
education, refers to learning delivered by universities, academies,
colleges, seminaries, and institutes of technology that award
academic degrees or professional certifications at the successful
conclusion of a program of study. Many of these institutions also
have research programs driving technology developments, scientific
discoveries, and innovation in all disciplines.
Higher education entities may be influenced by any or all of the
following external factors:
• Government policies and funding that impact operations and
revenue streams.
Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 1: Exercises Board Risk Oversight–The board of directors
provides oversight of the strategy and carries out governance
responsibilities to support management in achieving strategy and
business objectives.
The university has already met with one investor, Lambda Labs. A
partnership with Lambda Labs would see a multiyear investment in
the university’s infrastructure and provide a welcome injection of
working capital. As a part of a regular review of board oversight and
to bolster stakeholder confidence, the board intends to enhance
transparency of its governance, oversight, and risk management
systems.
Lambda Labs stated that while the financial reporting and forecasting
information already provided was critical to their decision to pursue
further discussions, they require greater visibility and information on
the risks and potential impacts on the university’s long-term
performance. As an example, Lambda pointed to the increasing
number of student protests occurring over proposed curriculum
changes and funding decisions, and the impact those could have on
the university’s reputation and its ability to attract future investments.
Discussion
Designing Board Oversight
The board is supported by three existing sub-committees designed to
oversee the performance of the university in relation to its mission,
vision, and core values. The board delegates authority to each of the
committees, which is outlined in greater detail in their respective
charters:
• Investments Committee: oversight of the investments portfolio in
line with the university’s risk appetite.
• Audit Committee: oversight of financial reporting and audit matters.
• The new steering committee will be given the task of reviewing the
university’s current reporting capabilities and proposing
improvements to provide better insight into performance and the
portfolio view of risk.
Key Observation
By highlighting the assumptions that underpin the strategy and business objectives, or
the assessment of risks, the organization is in a better position to identify changes to the
risk profile and performance of the entity in a timely manner.
By using the strategy and business objectives to structure a report, an organization will
more clearly highlight information relating to new and changing risks and the impact to
performance. Those who use the report can observe how one risk may impact multiple
objectives, or how changes in the business context may impact more than one risk.
The rating and trend analysis was completed in relation to objectives, not risks. This
approach focuses the board on performance-related conversations rather than risk-
centric conversations.
The balanced scorecard included key indicators and trends for each
business objective to highlight levels of performance and identify
potentially manifesting risks. The analysis, included in the monthly
management report, integrated the discussion of performance and
risk to provide context to the university’s level of confidence in
achieving its strategy and business objectives (see Figure 2.4).
The analysis also permitted the university to highlight those risks or
trends that impact more than one section of the strategic plan. As an
example, the increase in university partnerships with industry and
commercial entities influences the risk profile of Part 3, Supporting
the Needs of the Future Economy, and Part 4, Optimizing Operational
and Financial Performance.
Once it improved its reporting practices, the university was able to
provide greater transparency of its current and forecasted
performance to share with potential third parties. In the case of
Lambda Labs, the pharmaceutical research group was seeking to
partner with the university to build a state-of-the-art research
laboratory that would house world-class research teams and teaching
facilities for undergraduate and postgraduate medical students. The
construction of the laboratory would be seen as a competitive
advantage in recruiting students and bolstering the quality of the
academic curriculum and teaching capabilities.
1 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
2 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
3 For brevity, only select key performance metrics listed in Figure 2.2: Five-Year Strategy
Part 1: Delivering Academic Excellence are shown in the executive dashboard.
break
3. Culture in a Government
Entity
Industry Context4
Government entities often have complex and diverse missions that
set the stage for the overall strategy to provide services to the public.
Developing and carrying out a strategy can be complicated by
changes in budget, political climate, highly visible public oversight,
and even the overall mission. Many government entities face
significant resource constraints and declining budgets, which impede
their ability to hire in response to attrition and retirement. This
challenging environment often results in employees who focus only
on carrying out their day-to-day responsibilities, not the bigger
picture.
Government entities may be influenced by any or all of the following
external factors:
Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 3: Defines Desired Culture–The organization defines the
desired behaviors that characterize the entity’s desired culture.
• Principle 4: Demonstrates Commitment to Core Values–The
organization demonstrates a commitment to the entity’s core
values.
• Principle 5: Attracts, Develops, and Retains Capable Individuals–
The organization is committed to building human capital in
alignment with the strategy and business objectives.
Aspects of the following principle are also demonstrated:
• Principle 20: Reports on Risk, Culture, and Performance–The
organization reports on risk, culture, and performance at multiple
levels and across the entity.
Discussion
Addressing Cultural Challenges
Russ Desjarles, the head of the Department of Local Enterprise,
recognized that the backlog of real estate development applications
was a symptom of a larger and growing operational and cultural
issue. Management at all levels had not been adequately evaluating
the performance and risk implications of their actions and using that
information to make better decisions. Additionally, the tone from
management suggested that employees should just focus on getting
their work done, not on raising issues of risk. Russ and his leadership
team acknowledged that this culture was causing problems to linger.
Key Observation
Defining roles and responsibilities for enterprise risk management at all levels of an
organization sets the expectation that it is not something left to those in charge of risk,
but something the entire organization must embrace and participate in.
Key Observation
By aligning risk reporting with existing reporting processes, risk management is not
viewed as a separate activity, but as one part of managing performance and operations
at each level.
The positive results were soon apparent. For those employees in the
real estate development applications group, raising the level of risk
awareness through training allowed them to identify and
communicate risks to the objective of processing the applications,
which resulted in modifying the process and improving efficiency. At
another training event, Carina Mack, Cordell Bramble, and Madeline
Fromm, ambassadors from three different business units, identified a
risk that was common to them all. Considering the information in
aggregate changed the assessment of the risk and revealed a greater
exposure. The three ambassadors worked with their business unit
leaders to establish a small cross-functional team to develop the right
response to the risk. Carina, Cordell, and Madeline were
subsequently recognized by leadership for their efforts to identify,
prioritize, and treat the risk. In-depth risk management training is now
provided at least once a quarter to the risk ambassadors, since they
are responsible for embedding risk management practices and
capabilities into the operations of their respective units.
Russ has also made time for regular discussions on emerging risks. In
these discussions, ambassadors identify emerging risks, considering
the business context of the department and changes to the internal
and external environment. This practice has now been carried into the
regular processes of identifying business unit risks and strategic
planning.
Understanding Changes in the Culture
Having implemented several cultural changes, leadership wanted to
evaluate the impact of the measures taken. They already conducted
an annual employee survey with broad focus, and that had a good
participation rate. To avoid “survey fatigue” (which tends to drive low
response rate), they decided they could use the information from the
existing survey and build on it.
To that end, they collected the survey data from previous years and
reported the responses concerning culture to the risk ambassadors
and senior executives. Figure 3.1 illustrates the results of the survey
over eight years, with the changes in culture being introduced
between years 7 and 8. The four areas being tracked by the survey
show improvement, but did not reach 80%, which was the target.
Note that while the survey results did not drive culture change, they
provided point-in-time information on how behaviors were changing.
Senior executives were asked to review the trends and develop an
action plan to change behaviors in their units to drive a culture of
awareness and transparency for risk.
Key Observation
You need to understand the stakeholders’ expectations for reporting before you begin to
design your reports. That’s the only way you’ll prepare a report that gives them what
they need.
Key Observation
Discussions that specifically focus on emerging risks and risks from the external
environment can help an organization understand important disruptive events.
Russ also recognized that the business units needed to embrace risk
management and embed it into their operations if they wanted to
receive timely risk information to inform decision-making and avoid
issues such as the one related to real estate permits. To help support
this practice, leadership established a series of operating standards
that all the units are expected to meet. These standards provide
enough flexibility so units can implement risk management effectively
while still retaining consistency across units. The department uses
peer review as one method of evaluating the competence of the staff
directly responsible for risk management and whether the units are
achieving the standards. Ambassadors review the work of other
ambassadors and provide feedback on how capabilities can be
enhanced. Aggregate feedback is also provided to inform topics for
enterprise-wide training.
4. Culture in a Financial
Services Company
Industry Context6
Financial services companies offer a wide variety of financial products
to customers who want to manage their financial assets. These
companies range from local credit unions to global institutions.
Customers vary from individual retail clients to large organizations
with sophisticated financing requirements. No matter what the size
and scope of a financial institution, its complexity of products,
operations, and balance sheet management is derived from its
mission, vision, and strategy and influenced by the prevailing
economic and regulatory climate. Regional banks, in particular,
provide the financial lifeblood for the area in which they operate,
supporting communities, industry, and small businesses in growing
localized economies and creating jobs.
Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 3: Defines Desired Culture–The organization defines the
desired behaviors that characterize the entity’s desired culture.
• Decisions are made in line with our core values, even in the
absence of a defined process or policy.
Key Observation
• Staff were aware of the bank’s brand, but that had not been
translated into policies or other tools to help with decision-making.
Consequently, inconsistent decisions were being made concerning
underwriting, budgeting, and other operational matters.
• Vision: Be the most trusted business advisor and bank of choice for
our community.
• Core values: We act with the utmost integrity and professionalism,
providing the highest level of customer service and honoring our
responsibilities we have to our customers, staff, and community.
The plan has four major sections that are in line with the strategic
plan, business objectives, and core values:
1. Demonstrating leadership.
2. Providing excellent customer service.
Demonstrating Leadership
Management implemented training modules specific to the mission,
vision, and core values, and through this scenario-based training they
enabled personnel to better understand how individual expectations
drive desired behaviors throughout the bank. For example,
relationship managers were given a scenario of receiving a financing
application from a long-standing customer who did not meet all of the
revised quantitative information requirements. Training was provided
on what other information could be relied on to meet the regulatory
requirements and how to decide whether to approve the application
that was in line with the bank’s core values and risk appetite. Staff
were also given guidance on how to work collaboratively with clients
to strengthen applications where needed.
Broad Bridge Bank also decided to review its incentives program and
consequently modified the compensation structure to focus on long-
term sustainable performance in line with core values, rather than
short-term performance. They made adjustments to include
performance incentives to recognize positive risk management
behaviors, and mechanisms that trigger bonus forfeiture in the case
of reckless risk taking. By integrating risk metrics into the employee
compensation program, management demonstrated its commitment
to promoting desired behaviors of performance and risk. Connecting
compensation and risk-adjusted performance helped create
outcomes that aligned with the company’s portfolio view of risk. The
rewards and consequences demonstrated that risk management is
everyone’s responsibility.
Following each performance evaluation, management now
establishes performance goals with employees for the upcoming
year, embedding enterprise risk management practices and
capabilities into the achievement of those goals. Accountability for
risk management responsibilities is clearly defined and employees are
required to fulfill risk-related objectives as part of their annual goals.
Management has also established individual and unit-level
performance measures, incentives, and rewards, embedding the
values and desired behaviors into the process. Customer satisfaction
measures have been included in an effort to maintain a customer-
centric posture and incorporate customer expectations into the
process.
Ongoing Review
Six months after the initial review and before the next analyst briefing
with investors, Betty Fund requested an update from Tylor Mann on
how the changes in culture had affected performance. While the
culture had not completely changed, there were some measureable
impacts:
• Walk-in traffic during extended opening hours remained high in
remote branches as customers looked to complete their banking at
the beginning or end of the day’s trading hours.
• Profitability and efficiency ratios deteriorated slightly after the initial
outlay of costs in implementing management changes but have
since stabilized.
Key Observation
Review activities should account for the time horizon of the entity’s strategy and
business objectives as well as any associated assumptions.
6 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
7 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
break
Industry Context8
Energy sector entities include those that are involved in the
exploration, production, or management of resources such as oil,
gas, and coal, as well as others that service these industries. Entities
are usually divided into three major components: upstream,
midstream, and downstream:
Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 6: Analyzes Business Context–The organization considers
potential effects of business context on risk profile.
• Principle 7: Defines Risk Appetite–The organization defines risk
appetite in the context of creating, preserving, and realizing value.
• Principle 8: Evaluates Alternative Strategies–The organization
evaluates alternative strategies and potential impact on risk profile.
Discussion
Linking Risk Appetite to Mission and Vision
Senior management, as part of their annual review of risk appetite,
met on several occasions to discuss overall risk appetite. Individual
views on what constitutes acceptable risk taking for the business
were expressed, compared, and used as the basis of articulating the
overall risk appetite. There was strong consensus that the company
has always taken a conservative approach when dealing with
significant change that could introduce new risks or elevate current
risks to safety. This approach has always been considered prudent
given the nature of the product, the overall mission, and the
assessment of the maximum amount of risk Delta can absorb.
However, Delta is willing to accept slightly greater risk when
considering ways to improve customer service and overall financial
performance.
Management has chosen to portray risk appetite through the lens of
the key stakeholders: customers, employees, regulators, and
suppliers. By understanding what matters to the stakeholders, the
managers are better prepared to make decisions that align with those
views and reduce unintended challenges.
Key Observation
Using the same objective for both scenarios increases comparability between the
resulting risk profiles.
Each of the risk categories contained within the profile were reviewed
by several departments in the company, most importantly by finance,
human resources, marketing, media relations, operations, and
strategy. Once management was comfortable that there was
consensus on the risk ratings, they were able to develop a
comprehensive risk profile for each option. Figure 5.2 shows the level
of risk relative to varying levels of consumer consumption for both
types of meters. The performance measure is shown as percentage
demand of natural gas system capacity. Delta is able to operate for
short durations above its capacity by accessing gas reserves from
other neighboring utilities.
Figure 5.3 combines the information for traditional and smart meters
in a graph comparing the risk profiles. It shows that the traditional
meter has less risk at the current target level of demand, but as
consumption increases, the overall amount of risk increases. Delta
has little ability to change overall consumer demand, but smart
metering provides a mechanism to change customer behavior, which
impacts the demand. At the level of upper performance tolerance, the
risk associated with the two types of meters is the same (Point A).
The profiles show that as demand increases beyond the upper
performance tolerance, the risk associated with the smart meter is
lower than the traditional meter. Some of the risks that change at the
upper demand levels for the traditional meter are customer behavior,
regulator/government, supplier performance, and resources.
Management decided to recommend moving to the smart meter
technology, based on the overall impact on capacity demand
(performance). Consequently, they built a full business case to
present to the board and, ultimately to the regulator, to approve the
change to smart meters. After meeting with management, Delta’s
board agreed with the recommendation.
This approach also addressed a concern about capital investment
needed to expand capacity. At current growth rates, Delta knew it
would need to expand system capacity over the next ten years.
Implementing smart meters created the ability to shift demand, which
would defer this capital expansion. Management believed that with
proper planning and oversight, the company could successfully
implement such a strategy. Installing smart meters would allow the
company to allocate capital resources based on the risk appetite
developed. They were also aware that similar companies in other
regions might be willing to share experiences in implementing these
programs (because they weren’t direct competitors). With all this in
mind, the senior management team, with the help of human
resources, began to identify individuals to hire or assist with the
project.
Key Observation
Once the objectives are set, the conversation shifts to acceptable variation in
performance. Risk appetite is reflected in the setting of objectives and goals.
Key Observation
The business objectives developed form the basis of the risk assessment considering
the risks to the achievement of each objective.goals.
8 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
9 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
10 This example has been simplified to focus on one just important strategic initiative. A
typical midstream company would likely have more than one initiative in development at
any time.
break
Industry Context11
The not-for-profit sector consists of a wide variety of entities
dedicated to furthering a particular cause or advocating a particular
point of view. These entities are typically divided into two groups:
community-serving and member-serving. Community-serving entities
usually focus on delivering human services programs or projects, aid
and development programs, medical research, education, and health
services. Their reach may be local, regional, or international. Member-
serving entities include mutual societies, cooperatives, trade unions,
credit unions, industry and professional associations, sports clubs,
and advocacy groups.
Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 6: Analyzes Business Context–The organization considers
potential effects of business context on risk profile.
• Principle 7: Defines Risk Appetite–The organization defines risk
appetite in the context of creating, preserving, and realizing value.
• Principle 8: Evaluates Alternative Strategies–The organization
evaluates alternative strategies and potential impact on risk profile.
Discussion
Linking Risk Appetite to Stakeholder Goals
As a part of regular performance reviews, Echo Relief found that it
was making inconsistent decisions about deploying its resources to
different projects. In some cases projects were accepted that
stretched both volunteer and monetary resources. Consequently, the
board of directors decided that management should develop a risk
appetite statement. Echo has several stakeholders and the board
wanted to include perspectives from permanent staff, volunteers, and
donors in articulating the overall risk appetite. The discussion
centered on three core areas of concern:
• Staff and volunteer safety: because Echo Relief is mandate driven
and the projects accepted are often in fragile and conflict-affected
areas, they are willing to take on a moderate amount of risk relating
to the safety of staff and volunteers.
• Misuse of funds: the need to be good stewards of donor funds
requires a low appetite for risks relating to misuse of funds.
• Financing new programs: given the donor history, with a large
portion of funding coming from the general public with no
restrictions, Echo Relief has a higher appetite to take on risk relating
to financing new programs. It does not need to run targeted funding
campaigns and is able to fund new, innovative programs.
After the discussion on risk appetite, Echo Relief wrote the following
risk appetite statement for the entity overall:
Echo Relief will pursue new programs that enhance delivery of
services to those in need within our financial ability. We will accept
moderate risk to the safety of staff and volunteers as we respond to
disasters. In order to maintain good stewardship of donor funds, we
have a low appetite for risks related to misuse of funds.
In order to cascade the understanding of the statement, management
portrayed risk appetite in greater detail by aligning statements with
the stakeholders noted above. For instance, the part of the risk
appetite statement relating to staff and volunteers added clarity on
decisions impacting those individuals. These statements were cast as
shown in Figure 6.1.
Key Observation
When developing a risk profile, the element of time should not be included as a factor.
Key Observation
When developing business objectives, be sure to consider all the risks identified as part
of the strategy.
11 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
12 Names of organizations and people is this example are fictional, and any resemblance to
actual organizations and people is coincidental.
break
7. Performance in a Consumer
Products Company
Industry Context13
The consumer products sector includes a wide variety of companies
ranging from mass retailers and specialty stores to manufacturers
and distributors of packaged goods, such as food and beverages.
Consumer products companies often seek profitable growth by
expanding business scale and scope while simultaneously
rationalizing operations.
Consumer products entities may be influenced by any or all the
following external factors:
Principles Demonstrated
The following principles are primarily demonstrated in this example:
• Principle 10: Identifies Risk–The organization identifies risk that
impacts the performance of strategy and business objectives.
• Principle 11: Assesses Severity of Risk–The organization assesses
the severity of risk.
During its early years, Friendly Fruit Juice considered risk whenever a
significant issue arose. Often, Jamie Doyle, the chief executive officer
(CEO), would create small teams to identify the causes of the issue
and potential solutions. However, as the company grew, Jamie
realized the importance of having more timely and insightful
information for the business. The organization began to shift its focus
from these one-off meetings to integrating enterprise risk
management capabilities into daily business operations, mainly with a
goal of identifying and managing entity-wide risks. As enterprise risk
management has become more embedded in strategic decision-
making, management has increasingly focused on considering
various strategies, and chosen one that best fits the company’s core
mission.
Friendly Fruit Juice takes the time in the monthly senior management
meetings to discuss risk as it relates to the overall performance of the
business. Jamie also spends much more time updating the board of
directors on these conversations and engaging them to capture their
own views.
Discussion
Every week the marketing department reviews various mainstream
and social media postings to identify changes in customer sentiment
and identify any public issues with the reputation and brand.
Recently, the marketing director, Angarika Kapur, identified an
escalating trend in comments about the company’s juice line, with
many consumers requesting plant-based juices. The director
identified this change in the environment as potentially affecting the
company’s ability to meet one of its stated objectives: “develop
innovative products to meet customer needs.”
Procurement
The Procurement Department was responsible for identifying the raw
materials for the new plant-based juice line. Marley Harper’s team’s
primary objectives focused on obtaining high-quality ingredients at
the best possible price and adhering to all regulations regarding
pesticide usage. They also considered the company’s values and
sourced ingredients from local growers whenever possible (although
this was not a direct objective). They discussed the current business
environment and how it would affect the new juice line. Friendly Fruit
Juice sourced 90% of its fruit from five growers, four of which were
located within 100 miles of the processing plant. Although Friendly
Fruit Juice Company sourced ingredients primarily from local
vendors, it had agreements with vendors from other regions to allow
for the variability of weather conditions, which significantly affect
supply and prices. Of the five local growers, three also were growing
vegetables that could be used for the new line. All five all had strong
records of strictly adhering to government requirements on pesticide
use.
Manufacturing
The Manufacturing Department also added the new line as a point of
discussion during its daily production run meetings. Simone
Jorgensen’s team had two primary objectives: meet customer
demand and produce high-quality juices at the best possible price.
The managers and directors of the department discussed the
performance target of having the plant-based product line account
for 20% of sales by the end of the first year. In their review of what
would be required to break down plants into juice, they determined
that no changes to the existing machinery would be needed. They
also discussed the potential of demand being greater than
anticipated and how that might affect production, noting that they
had two manufacturing plants in their distribution area to allow for the
raw materials to be sourced locally, and both plants were located
within a twenty-four-hour drive, which would allow for additional
capacity should there be a problem with any of the machinery used in
production. On this second point, they attained greater confidence
through modeling product flow from procurement through the full
manufacturing process, including the time needed to change
production runs from fruit-based to plant-based production, and vice
versa.
The Manufacturing Department identified four risks associated with
the objectives of the manufacturing department relating to the new
plant-based juice line, as shown in Figure 7.3.
Distribution
The Distribution Department identified two main objectives relating to
the new juice line: get the product into the distribution channels used
by target clients and leverage existing channels for efficiency and
best cost. Friendly Fruit Juice followed a selective distribution model
and focused their distribution channels on specialty retailers for
distribution of their current product line. The distribution for the new
line was anticipated to be similar, with the addition of a few new
vendors. Fabien Pisarski’s team did a process analysis and then
discussed the risks that they were currently managing for the fruit-
based line and how the new line might change those risks or add new
ones. The discussion centered on the ability to meet their two primary
objectives, as shown in the Figure 7.4. The distribution team then
assessed the risks on the scale for likelihood and impact, as shown.
Fabien also brought her knowledge of the risks to the monthly senior
management meeting.
Marketing
The primary objective of the Marketing Department was to generate
new sales for the plant-based juice line. Friendly Juice Company has
focused on specialty retailers for distribution of their current product
line. After the decision was made to develop the plant-based juice
line, Angarika Kapur’s team reviewed information captured from a
variety of publicly available data and the focus group sessions with
potential users to understand the risk in developing a marketing plan.
Once the product launched, the marketing team met weekly to review
the prior week’s sales. As a part of these discussions, Angarika led a
discussion on what could prevent the company from meeting the
objective of the new product accounting for 20% of the sales mix by
the end of the first year. Figure 7.5 illustrates the risks identified.
Key Observation
Risk should be considered through the lens of objectives so that resources can be used
efficiently.
Key Observation
When assessing the objectives, the risk with the highest severity may not directly
transfer to the objective. The effect on objectives should be discussed.
Procurement
When they discussed the risks to the objective “Obtain high-quality
ingredients at the best possible price,” there was general consensus
that finding the right mix of ingredients would be critical to achieving
a tasty beverage. That meant more ingredients may be required,
which would represent a greater risk to the achievement of the
objective. Further, the dependency on multiple departments
increased the concern over achieving this objective. Therefore, the
team decided to rate the objective as medium (yellow). The second
objective “Adhere to all regulations regarding the use of pesticides”
was rated as medium, consistent with the respective risks.
Manufacturing
When they discussed the objective “Meet customer demand,” they
considered whether the risk that had been measured as high (red)
would translate to the objective being a higher risk. The senior
management team determined that the new quality assurance
process recently put into place across the department had not been
fully considered when assessing the risk, and therefore the severity of
the risks impacting the achievement of the objective was lower. The
second objective of “Produce high-quality products at the best
possible price” was rated as medium, consistent with the respective
risks.
Distribution
The conversation about the objective “Get the product into the
distribution channels used by customers” sparked much discussion
about how it should be measured. Given that the risks to this
objective were assessed as medium (yellow) and high (red), Marley,
Simone, Fabien, and Angarika wrestled with several questions:
• Should we combine the risk ratings for these two risks and use that
for the objective?
• Does one risk warrant more attention at the enterprise level than the
other?
• Considering both risks, what is the overall impact on the
performance for that objective?
They also considered that the risk was assessed differently by
different teams. The initial assessments were viewed as reasonable
for the respective areas. Ultimately they determined this objective
was at higher risk given the contract environment with current
vendors. Many contracts had been recently negotiated and the
marketing department expressed concern with the negotiating
process for several of the vendors. The second objective of
“Leverage existing channels for efficiency and best cost” was rated
as moderate, consistent with the respective risks.
Marketing
Finally, the conversation about the objective “Generate new sales for
the plant-based juice line” had a more diverse risk assessment. While
there was overlap with other objectives and there remained a
lingering concern that a new plant-based line would have targeted
success, the management team remained confident that, overall,
there was a lower level of risk to the department objective.
Overall Analysis
After the discussion, it was determined that the company still had a
reasonable expectation of meeting the business objective and target
of “Develop a plant-based juice product meet customer needs that
represents 20% of the overall product line.” The outcome of all of the
discussions of the objectives and the risks is shown in Figure 7.8.
By approaching the discussion of risks through the different
objectives they may impact, the team was able to determine which
objectives were at greatest risk of not being achieved and the effect
on the overall performance of Friendly Fruit Juices Company.
Specifically, this approach enabled the team to identify:
• Risks that could significantly impact a single objective
When prioritizing risk, organizations with multiple objectives and interconnected risks will
face a more complicated process. Additional considerations of complexity, adaptability,
velocity, persistence, and recovery should be considered.
• Adaptability was considered from the view that with the company
was embarking into a new product line. Some objectives tied to
launching the new product line were impacted by the same risks
relating to its current product line, such as those relating to pricing
and distribution. However, other objectives could be impacted by
new risks that management would need to address for the first
time, such as the ability to appeal to a broader range of customers
and possible issues with product consistency and quality. Their
confidence in managing new risks to objectives was less than it was
for risks with well-proven responses, and there may be some
refinement needed when managing these risks. Risks that required
greater adaptability or change management efforts were prioritized
above those that did not.
• Complexity was viewed through the perspective of whether some
risks would impact other risks, or whether underperformanceed on
one objective would impeded the achievement of another objective.
While several objectives were viewed as having potential overlap,
three objectives were identified as having important cost pricing
dependencies. These objectives related to procurement,
manufacturing, and distribution and the relevant risks were
prioritized as a result.
With this added information, Marley, Simone, Fabien, and Angarika
agreed that while the company needed to address all objectives, two
in particular required a more focused attention.
1. The manufacturing objective “Produce high-quality products at the
best possible price” was considered by management as needing
added focus as there were several medium-rate risks tied to that
objective and there were noted dependencies with the
procurement objective “Obtain high-quality ingredients at the best
possible price”.
2. The distribution objective “Get the product into the distribution
channels used by customers” is one of two objectives that is
associated with a red risk and the only objective to be assigned a
red status. While there was one other higher rated risk impacting
the manufacturing objective “Meet customer demand”, the overall
assessed risk to the manufacturing objective was deemed lower,
suggesting that risks to this objective did not require the same
level of attention as the risks to “Get the product into the
distribution channels used by customers”.
In selecting the appropriate responses for the related risks (and
hence objectives) that were identified as the highest priority, the
management team considered the following factors:
• Business context: Risk responses were selected and tailored based
on the current business context for the company. Friendly Fruit
Juice Company enjoyed a strong brand following based on the
quality of the products used. The existing product lines used
organic, locally sourced materials where available.
• Costs and benefits: The strategy of producing a high-quality
beverage using organic, locally sourced materials without additives
could result in additional cost. Leonard Kruit, the chief financial
officer, produced an analysis showing the increased cost of
materials against the potential sales and revenue figures.
• Obligations and expectations: Compliance and regulatory
requirements, stakeholder expectations, and other obligations were
considered. A primary stakeholder for the company is the
consumer. Considering the prioritization criteria, senior
management decided to add two new suppliers to their vendor list
to provide the plant-based materials needed for their new line.
• Risks emanating from the response: New risks that may arise from
selecting particular responses were also discussed. Given the
response of adding two new suppliers for the plant-based
materials, the team considered the potential risks to the current
supply chain and any impacts on the contracts with current
suppliers.
• Opportunities emanating from the response: The team considered
what new opportunities may develop from selecting particular
responses. One of the two new vendors was a locally operated farm
that maintained a market on site for its goods and a booth at one of
the premier farmers’ markets in the area. Friendly Fruit Juice
determined that this could be an opportunity for joint marketing and
adding locations where their goods could be sold.
• Reduce: The team determined that the company should reduce the
severity of the risk. Some of the actions included:
• Reduce: The team determined that the company could reduce the
severity of the risk. While they considered various options on how
management could do that, they felt that the risk response would
be more effective if they were able to partner with another party.
Management’s Consideration
The discussions of the monthly senior management meeting were
captured to update the portfolio view of risk, which was presented to
the board. The focus of this presentation was the performance goals
associated with the business objectives that are either over- or
underperforming, the current portfolio view of risk, emerging risks,
interconnectedness of the risks, and what has changed since the
previous quarter. The presentation covered both quantitative
information, such as the combined potential financial impact of
certain related risks, and qualitative information, such as descriptions
developed by Marley, Simone, Fabien, and Angarika describing how
additional or modified responses were expected to reduce the
severity of risk.
After every quarterly presentation to the board, the results are
incorporated into dashboards, and staff meetings are held to
communicate the results and the monitoring and mitigation activities
to be implemented. The dashboard is organized by objectives and
includes a view from each level of Friendly Fruit Juice Company.
An Objective Perspective
As noted initially, Friendly Fruit Juice Company’s foray into
developing a stronger enterprise risk management approach was
driven by its goal to better identify and manage company-wide risks.
Through improved identification, assessment, prioritization, and
response activities, Friendly Fruit Juice recognized it could achieve its
objectives. They came to understand that the amount of risk to
objectives cannot be simply calculated by averaging likelihood and
impact. Rather, to meaningfully analyze their ability to meet their
objectives, the organization needed to look at their risks from an
overall perspective and understand how the performance of one
objective might affect the achievement of another. This perspective
provided Marley, Simone, Fabien, and Angarika with greater clarity on
which objectives required the most attention and what responses
offered a more efficient use of their respective resources.
13 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
14 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
15 This example does not attempt to show how various strategies are evaluated and
selected; this aspect of the example has been condensed.
break
8. Performance in a
Technology Company
Industry Context16
The technology sector consists of companies involved in the
production or delivery of technological products and services, such
as computers, semiconductors, software, IT infrastructure and
services, telecommunications, and home entertainment.
Technology entities may be influenced by any or all of the following
external factors:
• Political and government regulatory approaches to spectrum usage,
cloud computing, data privacy, sustainability, and infrastructure.
• Competition from cloud-based products and services that impact
the margins of traditional hardware businesses and affect people
with lower disposable incomes in developed countries, who are less
likely to buy high-end consumer products.
Principles Demonstrated
The following principles are primarily demonstrated in this example:
Discussion
To succeed with the product development and launch, Gulf
Technology formed a working group for the life cycle of new product
development, as Figure 8.2 shows. The group comprises
representatives from marketing, finance, development, and supply
chain, plus individual designers (front-end, industrial, etc.), and a
product manager who leads it. The group meets weekly to discuss
the status of the product during each phase of development. Any
member of the working group can raise for discussion any risk about
the project or product without any fear of retribution. Management
encourages this transparency to support risk-informed decisions and
improve the overall quality of products developed and delivered to
consumers.
This example follows the evolution of the risk profile for one product
through the phases of development to track and respond. (For the
purposes of this example, the earlier phases are not included.)
Develop Phase
During a meeting in the develop phase, the marketing manager
brought forward new information about changes in consumer
preferences for a particular feature of the product. This discussion
occurred because of a recently implemented practice to identify key
insights and potential risks during all new product development
projects.
Key Observation
When developing an overall risk profile, the element of time can be factored in by
developing a series of profiles throughout the product life cycle.
When the team gathered to discuss what they had learned about the
relevance of the product to customer satisfaction, the project leader
determined that they should accept more risk by modifying the
product design and potentially delaying the product release. By
accepting the additional risk to achieve the sales goals for this new
product, the risk curve steepened and shifted up, edging close to
Gulf Technology’s risk appetite. This is illustrated by comparing the
risk profile for the business unit objective of achieving sales goals for
new products in the design phase (Figure 8.4) and the develop phase
(Figure 8.5).
Product Launch Phase
The development and building of the new product progressed toward
the launch date. One month before the release date, the development
team reported to the working group that they needed a minimum of
three additional weeks to complete the testing of a component of the
product. At the same time, Stella Sharpe learned that the company’s
main competitor was aiming to release a similar product close to Gulf
Technology’s planned launch date.
With competing product objectives of releasing a new product on
schedule and having a fully tested product to obtain high customer
satisfaction, Stella prioritized the objectives and associated risks to
make a more effective and risk-informed decision, using several
criteria:
With input from the working group, and based on the criteria of
adaptability and complexity, Stella decided to release the product on
schedule rather than delay the launch. She determined that the
impact to overall sales would be significant if the product launch were
delayed due to additional testing and became the second product on
the market.
Prioritizing risks also helped management decide how to best
respond to them, given finite resources. Following the practice of
most companies, Gulf Technology looked to apply one of the
following risk responses to each risk: accept, avoid, reduce, pursue,
and share.
• Accept: Gulf Technology would launch the product with the
untested feature and determine later how to service the product as
issues arose.
• Avoid: They would remove the untested feature from the product.
• Reduce: They would delay the launch date and allow the
development team to perform the additional testing.
• Pursue: They would launch the product as expected, actually giving
prominence to an unproven technology.
Track-and-Respond Phase
The working group successfully launched the new product on
schedule. Once the product was in the market, Stella Sharpe tracked
several metrics including sales (e.g., product sales, gross profit
percentages), marketing (e.g., web traffic, number of leads
generated), and product (e.g., inventory management, customer
service requests). These metrics alerted management to key
indicators of both risk and performance.
Stella continued to track key indicators, and three months after the
product launch she reported that sales were lagging and customer
complaints about the missing feature were on the rise. In response,
the working group reviewed the entire product development life cycle.
Their goal was to understand what risks impacted the new product
development, at what stage they occurred, and how they affected the
new product and business division objectives.
With the results of this “postmortem,” Stella was able to analyze how
the risks associated with high customer satisfaction actually
increased in severity throughout the new product life cycle compared
to the risks associated with being first to market with an innovative
product. Although she had prioritized the objective of being first to
market during product development, it became evident that
customers would have accepted a short-term delay in the launch if
the end product had had all of the features they were expecting.
Specifically, a two- to three-week delay in the launch was determined
to be acceptable to customers, but not a delay of more than one
month. In fact, Gulf Technology determined that customers were
more sensitive to a product with all of the anticipated features and
were more likely to switch to a competitor’s product if their
expectations were not met. Stella used the analysis to adjust the
approach for other new product launch phases.
Additionally, this information from the postmortem fed into the
company-level portfolio view of risks. Specifically, it showed that the
risks to the objective of high customer satisfaction (risk of poor
customer experience and poor quality) maintained their severity as
they rolled up to the division- and company-level objectives. Those
dissatisfied customers who switched to a competitor product
affected Gulf Technology’s ability to meet its objective of achieving
sales goals for all new product launches. All this information helped
senior management better understand risks they may encounter in
the future. Figure 8.8 illustrates the portfolio view of risks.
16 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
17 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
break
Industry Context18
Industrial products companies provide goods and services in the
chemical, engineering and construction, forestry, paper and
packaging, industrial manufacturing, metals, and transportation
sectors.
Industrial products entities may be influenced by any or all of the
following external factors:
• Trade policies of countries where a company operates, acquires
materials, transports goods, or sells products.
• Shifts in economic global power that creates both barriers and
opportunities.
• Social unrest that may create risk and even disrupt the supply chain
or distribution networks.
Principles Demonstrated
The following principles are primarily demonstrated in this example:
During recent analyst calls, Myron Zblinski, the chief financial officer
(CFO), noted growing concern over Mostley Machinery’s ability to
sustain traditional levels of growth. Some pundits believed that the
industry was more likely to experience disruption as new
manufacturing techniques evolved, new materials became more
common, and other entrants were able to penetrate the market. The
analyst community historically viewed the company as one that
provided stable growth with a somewhat risk-averse or risk-neutral
approach. But now there was a growing sense that the company had
started to take on higher risk ventures in pursuit of higher growth
while reducing the focus on the lower-risk parts of the business that
made it initially successful. It remained unclear whether this was a
conscious decision to pursue higher margin products or whether the
company had simply drifted from its original focus. This situation had,
unfortunately, led some analysts to indicate that they may shift their
recommendation from “buy” to “hold.” In response, the senior
management team recognized that they needed to better
communicate the company’s view on risk overall and its strategy for
addressing changes that impact the company.
Discussion
The information that senior management used to understand the
company’s performance came from many sources. In the past, they
typically relied on their own internal reviews, but the recent concerns
of the analysts prompted them to take a fresh look at things. They
needed to determine if the current enterprise risk management
capabilities were meeting the company’s needs. Specifically, they set
out to determine if:
• The company was identifying and responding to changes in
customer preferences, supply chain, materials, etc.
• Risk was impacting performance in ways that were currently
undetected.
Key Observation
In a small business setting, senior leadership can equip the organization to respond to
risks and identify opportunities by discussing the impact of internal and external changes
on the company’s portfolio view of risk.
Key Observation
Considering the effect of developments in the external environment on the portfolio view
of risk gives the organization the ability to respond to certain risks before they materialize
and to identify areas where these developments create strategic opportunities.
The team considered what steps the company could take to mitigate
this risk, which led to them discussing opportunities to differentiate
themselves from competitors and create added value. They came up
with a two-part proposal: First, the company should actively pursue
3D printing to internally produce replacement parts potentially at
reduced cost by using AutoCAD. Second, rather than retaining the
AutoCAD files for company use and waiting for customers or other
third parties to develop their own specifications to produce parts,
Mostley Machinery could provide customers with the
stereolithography files with the purchase of one of its pieces of
equipment. This practice could then be marketed as a competitive
differentiator. This idea was recorded and provided to the strategy
and finance team to consider in an upcoming planning cycle.
Assessing Performance and Considering Risk
The second issue was whether risk was impacting performance in
ways that were undetected. The company had a series of goals
aligned to each of its objectives. Each of the goals included a
quantifiable aspect, so that the company could track performance,
which was reported as part of the quarterly business performance
review. Senior leadership reviewed the metrics for each goal
quarterly. On review, two metrics stood out: sales by region and sales
by product type, illustrated in Figure 9.1.
The team also reviewed the revenue from replacement parts. The
goal was to maintain the percentage of revenue from sales of
replacement parts to overall sales at 7%. The company wanted to be
sure that it remained—above all—a provider of equipment, as that
generated much higher profit margin than the sale of replacement
parts. At the same time, the company wanted to retain its
replacement parts customers, rather than losing them to their
competitors for those parts, or worse, for new equipment.
Taking all this information into account and reviewing historical data
to understand seasonal and other trends, the company defined a
lower boundary for the tolerance of 3% and an upward boundary of
11% (see Figure 9.2). Senior management determined that having
replacement parts revenue below 3% suggested that parts were
being over-engineered with a higher cost to produce. Above 11%,
there was likely either a reliability problem with current parts or
customers were keeping the machine past the intended useful life,
choosing to repair rather than replace machines.
In one quarter, the actual performance was 12% (shown as the solid
green line in Figure 9.2). This shift in the percentage of revenue from
replacement parts presented a confusing trend for senior
management. They viewed it as being a higher risk to future revenues
because, as noted above, customers could easily shift to lower-cost
aftermarket versions or use 3D printing to create their own parts.
In researching the reasons for the 12% replacement sales, senior
management identified that three years ago, Mostley Machinery had
streamlined its operations to pursue the goal of operating efficiently.
Management was now starting to see the longer-term implications of
that change. An estimated 70% of the customers were replacing a
part purchased (either on their own or as part of new machinery)
within two to three years, rather than the targeted ten-year useful life.
These failure times were occurring just before the warranty period
ended. This increased failure rate was resulting in higher sales
revenue from replacement parts but also incurring higher warranty
repair costs for Mostley Machinery.
Key Observation
• The chief financial officer (CFO) noted that risk management was
formally part of the budget planning sessions. The budgeting
process asked two questions: Have we allocated funds to support
initiatives to enhance the managing of risk where needed? What
efforts are we funding that provide minimal impact on amount of
risk taken by the company?
• The chief operating officer (COO) noted that risk was a topic for
discussion at every operations meeting in addition to the regular
discussions on new staff, training, production targets, and quality
assurance results. The plan was to move risk from being a separate
agenda item to being a factor of every topic, but that change would
likely take twelve to eighteen months.
• The chief information officer (CIO) noted that risk assessments were
being used in the review and development of new technology on a
company-wide basis, where common technology was used by
mutliple departments. These assessments had helped to identify
potential problems in past projects.
• The vice president of human resources noted that risk management
was being woven into performance reviews.
While there were many positive practices noted in these
conversations, it became apparent that there were opportunities for
improvement. For instance:
• Changing revenue patterns over time had not been a focus, as the
company typically compared only the current quarter to the prior
quarter, or the current year to the prior quarter. This meant that
slowly evolving trends were not necessarily identified.
• None of the senior leadership team was able to articulate why the
amount of risk taken by the company was appropriate. Few could
state with confidence whether it was too high or too low. Most
relied more on personal judgment and experience to determine the
appropriate amount of risk.
• While the CEO and internal auditor attended performance meetings,
there was no sharing of information across these meetings. There
were concerns that some risks potentially impacting more than one
group might still be looked at in isolation. For instance, at the same
time the CFO was asking for spending on research and
development to be reduced, the COO was seeing a growing need
to increase efforts on new product development.
• The company had a spot bonus program for rewarding individuals
for specific efforts. The vice president of human resources noted
that of the spot bonuses awarded in the past twelve months, 40%
related to culture (doing the right thing for the client), 40% related to
efforts to help meet an internal deadline, and 20% related to long-
time service. None of them related to instances of individuals
helping shape the risk profile of the company through their
decisions. All senior leadership team members were encouraged to
consider spot rewards for such instances.
Changing Practices
Management realized that it was important to develop capabilities
that:
• Support people in making decisions across the company that
reflected a common understanding of acceptable risk taking.
• Consider how performance evolves over a longer period than just
one year to the next.
• Enhance communications to the board on emerging risks that could
disrupt the business.
• Enhance communications with the analyst community. Most
notably, they needed to develop a way to better communicate how
risk factored into decisions.
Each executive was asked to develop a view of the type and amount
of risk acceptable for the strategies related to their area of the
business. Once this was done, the senior leadership members met
with their staff to get feedback on how such a statement might be
useful in practice and what needed to be made clearer. The senior
leadership then met as a group to discuss, revise, and ultimately
finalize the statements.
Figure 9.3 lists a few risk appetite statements that the company
developed by entity-level objective to use in decision-making.
Once the executive risk committee finalized the statements, they
invited the board of directors to review and comment on them. The
statements were then sent to all executives and managers, who were
encouraged to refer to them when making decisions that involved
assuming a certain level of risk. They were also instructed to elevate
the decision to the next level if they felt uncertain whether the risk
they were taking aligned with the company’s risk appetite.
One method the company used to assess the success of their efforts
was revisiting the sales trend analysis previously completed and the
percentage of sales represented by replacement parts. As part of that
assessment the senior team reflected on the risk appetite
expressions, noting that the company:
• Has a low tolerance for risks that create situations or actions that
could negatively impact customer trust.
• Will seek to produce equipment of superior quality and reliability,
understanding that such goals may come with a cost.
• Has stakeholders who expect strong financial performance and will
not accept risks that unnecessarily erode financial performance.
The result of the assessment was a new risk profile, which was
presented to senior management, showing three possible levels of
risk appetite (see Figure 9.4). In this case, since the company had a
history of performance and an understanding of risk to that
performance, risk appetite was being set by management in the
context of actual performance (i.e., “We know our performance and
tolerance, and now we are figuring out where appetite should be”).
After considerable discussion and debate, the senior management
team agreed that risk appetite was best depicted as line B. With this
decision made, it became clear that the actual level of performance
indicated exceeded the overall risk appetite and, therefore, remedial
actions were needed.
Key Observation
Small businesses may have a less-formal process for regularly reviewing and discussing
risk. This may include a management meeting every quarter with key leaders, where risks
and interdependencies are discussed.
18 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
19 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
break
Industry Context20
Healthcare providers deliver medical services to patients ranging
from routine care to specialized critical care such as surgery,
psychiatry, obstetrics and gynecology, and oncology. Healthcare
providers may fit into one of a variety of business models: non-
governmental, governmental, not-for-profit, for profit, religious, or
academic.
Healthcare may be influenced by the following external factors:
• Competition for staff at all levels due to increasing demand from all
types of healthcare providers.
• Staff operating in silos, which affects information sharing.
• Dependency on technology in all aspects of the delivery model,
from decisions on patient care to reimbursements for services
delivered.
Principles Demonstrated
The following principles are primarily demonstrated in this example:
Discussion
Emma called the director of nursing, Antonio Garcia, to talk to him
about the recent media coverage and impact on the nursing staff.
She told him that the leadership team was contemplating a number of
large-scale initiatives, but even if approved by the board, those would
likely take several years before comprehensively addressing the
growing wait lists and impact to staff. Emma asked Antonio to
develop an interim plan of action to continue to attract and retain
nursing staff.
Antonio and Eva then tackled the job of understanding the culture of
the nursing staff. Culture affects why nurses want to stay at a
hospital, and the data showed that once nurses chose Highlands they
tended to stay. This understanding was critical as they looked to
identify nurse hires. What behaviors, they wanted to know, drive that
culture, and what encourages nurses to continue working at Highland
Hospitals? To find out, they sent a survey to the nursing staff
encouraging them to share their views anonymously. The survey
asked nurses:
• When do you feel the most appreciated?
• Do you feel the management team is transparent?
Using the information that Eva and he had gathered, Antonio started
to develop a plan of action to present to the board. The plan included
the following suggestions:
• Launch a digital recruitment campaign to encourage applications at
the nursing schools.
Together, they prepared an integrated plan of action for the CEO that
outlined:
20 Reminder: The examples do not illustrate a complete view of all enterprise risk
management practices in an organization. Each organization should consider and adapt the
principles set forth in the Framework to its specific strategies, risks, and opportunities
based on its size, scale, and complexity.
21 Names of organizations and people in this example are fictional, and any resemblance to
actual organizations and people is coincidental.
break